The Good Tech Companies - Cybercrooks Are Using Fake Job Listings to Steal Crypto

Starting point is 00:00:00 This audio is presented by Hacker Noon, where anyone can learn anything about any technology. Cybercrooks are using fake job listings to steal crypto, by Moonlock, by Macpaw. Written by Macpaw's Moonlock Lab team an ongoing cyber campaign is targeting job seekers with fake interview websites, tricking them into downloading a barebones yet highly effective backdoor. Unlike sophisticated malware that uses obfuscation techniques, this attack relies on simplicity, delivering source code alongside a Go binary, making IT cross-platform. Even more concerning is its attempt to hijack the permissions of the cryptocurrency-related Chrome extension Metamask, potentially draining victims' wallets. The campaign remains active, with new domains regularly appearing to lure more victims.

Starting point is 00:00:45 Many individual security researchers and companies, such as SentinelOne, DMP Dump, and Enki White Hat, have published excellent analyses. Our team conducted independent research, and in this article, we share our findings sand hunting strategies. The Moonlock Lab team began tracking this exact malware on October 9, 2024, when the first components of the backdoor started to appear. A backdoor is a type of malicious software that hides on a system and allows threat actors to execute commands remotely, as if they were the legitimate owners of the workstation.

Starting point is 00:01:17 These attacks typically utilize so-called C2, command and control, servers to send and execute commands. What sets this attack apart from others we typically observe is that it consists of multiple stages and is designed to persist on a victim's machine rather than employing a single-shot data-stealing flow. A complete overview of the attack stages can be seen in the image below. The first well-structured thread on X that we noticed was posted by a Tevano underscore, who shared information about a probable malicious campaign primarily targeting software developers seeking jobs at blockchain companies. Greater than, usually starts with a recruiter, from known company E.G.

Starting point is 00:01:57 Kraken, M.E.X.C., greater than Gemini, Meta. Pay ranges plus messaging style are attractive, even to those not greater than actively job hunting. Mostly via LinkedIn, also freelancer sites, job sites, greater than TG, Discord, etc. To obtain the latest version of this malware, it was essential to monitor new domains hosting fake interview sites. For this purpose, our team relied on two unchanging indicators that these domains share similar URL pattern, video questions, create, followed by a hard-coded ID. The same image, logo, PNG, on the pages. Even though some of the domains used during this campaign are being shut down,

Starting point is 00:02:38 the new ones continue to appear, with the most recent one still online, SmartHire Top. Online, our team has spotted more than 20 active domains since November 2024. After investigating the domains, we discovered that some of them share the same IP address. This often happens because attackers use bulletproof hosting providers, which allow multiple domains to be hosted on the same server. Additionally, hosting multiple domains on a single IP enables threat actors to rotate domains without changing the backend infrastructure. This malicious infrastructure is hosted on various services distributed worldwide. As shown in the map below, most

Starting point is 00:03:16 servers are located in the US, with some spread across other countries. The malicious command that the interviewees were asked to execute hides in the window that appears when they visit a malicious website. It is a JS code, bundled into main 39E5A388.js file in this case. Such file names are typically generated using a hashing or fingerprinting mechanism during the build process of a web application. Reference. HTTPS colon slash slash o scan. IO. Result. 0 AD 23 F 64 4 D 61 49 C 8 minus 8 ED 8 to 0 D 33 AO 7 4 1 9 F 4. One of the pages has this embedded JS file with the following SHA-256 hash, F729AF8473BF98F848EF2DDE967D8D301FB71888EE3639142763EB16914C803. We could easily spot that inside of a built.js file are the same commands that victims were asked to enter. After understanding how the threat actor spreads the malware, our primary goal was to quickly find samples and develop signatures for our users.

Starting point is 00:04:37 The first direct mention of production-ready samples and their SHA-256 hashes that we found was in this thread. https colon slash slash x com dimitri best status 1195E3A6056F2E968 c 861 ed 8 f1 no days zip 3 2 1 9 7 2 e 4 e 72 c 53 64 e c 1 d 5 b 9 e 488 d 15 c 1819 NVIDIA Real. Zip. 3405469811 Bay 511E62CB0A406D22D5B4BB**VCAM**INTEL. Zip. In addition to this, our team started to fetch malicious scripts as if we were tricked into downloading them, similar to the victims. At one point, the following command was used on fake interview websites. Command from the screenshot, do not execute. It performs the actions listed below. Fetches FFMPEGAR. Shush file from API, NVIDIA release, org, stores it into, var, tmp, FFMPEG. Shush, executes the file and redirects all output to dev null to hide it from a user. Inside of the ffmpeg shish file saved into a temporary folder, we can find the entry point

Starting point is 00:06:52 for this attack, which includes downloading second stage zip files with payload, placing plist file and registering service for persistence, performing a cleanup, as we may see from the script below, it is specifically designed for macOS, both Intel and ARM variations. After it defines the current CPU model, it downloads a ZIP archive with multiple files. More detailed review of this script can be found at this blog, as mentioned by SentinelOne in their recent report. Reference. Virus total contents of the archive, version for Intel CPU, that the script fetches are listed below. All the files in the archive can be categorized into a few groups. Parts of Go source code and its binaries, https colon slash slash github. Com, Golang, Go,

Starting point is 00:07:41 Chrome Update Alert, App, an app bundle containing a MachO binary that collects the user's IP and password, a Go-ridden backdoor and a Stealer, vCam service, Shish, a script that launches the main Go-based executable file. Interestingly, the archive is approximately 75MB in size, primarily because it includes many parts of legitimate Go libraries and binaries. Analysis of the Mako password stealer. One of the files we observed being used for a long period of time in this attack is a Mako universal binary with two architectures, named Camera Access. or BECDE20E618EFB209F97581E9AB6BFOOCBD63F51F4EBD5677E352C57E992A. It masquerades as a Google Chrome icon, making regular users believe the file iLegitimate and preventing them from deleting it.

Starting point is 00:08:45 The code is written in Swift, and no strong obfuscation techniques were detected, making it relatively easy to understand the execution flow. It displays a window that looks like a system notification window, asking the user to grant microphone access, supposedly requested from Google Chromey application. Even if the user selects, remind me later, a password prompt window still appears. The app claims to require microphone access, however, it is sandboxed, and no actual permission request is made for the microphone. After the user enters their password, the malware requests the external IP address of the host it is

Starting point is 00:09:21 running on. It then sends the password.txt file to a Dropbox folder named after the user's external IP address. On the screenshot below the Dropbox API URL can be spotted. While examining the network traffic, we could see attempts to retrieve public IP address of a victim. After the IP address is received, we could see requests to Dropbox in order to upload iodine monophosphide password pair using hard-coded credentials. Our team reported this incident to Dropbox, along with the credentials used to conduct this abusive campaign. Analysis of the Go written backdoor. It is important to note that the zip file downloaded by the FFMPEG. Shish script contains the plaintext source code of the backdoor,

Starting point is 00:10:04 meaning it was neither pre-compiled nor obfuscated. It significantly sped up the analysis but outsourced questions about proper attribution. Needless to say, apt groups from the DPRK are typically far more sophisticated. Another unusual strategy is the inclusion of a Go binary, bin, Go, in the archive instead of simply compiling the full code. However, since Go is not the default application on many operating systems, the threat actors may have included it for better compatibility. This makes sense given that the malware IS cross-platform and targets macOS,

Starting point is 00:10:38 Linux, and Windows at the same time. A graph illustrating relations and detailed description of each noteworthy sample can be found here. Just entry point inside the archive, there is a script called vcam update. Shush! It runs immediately after unpacking and simply executes bin go, which is bundled in the zip, while passing the path to the main Golang application, ab.go in this case. The entry application, AB. Go, is responsible for generating a unique UUID fourth user's workstation, initializing the C2 URL, and starting the main loop. In the code we can see single line comments, prints of supporting messages, and some commented out code. It also includes URLs probably meant for testing, forgotten to be removed by the developers.

Starting point is 00:11:25 In spite of the C2 IP address being different in the main campaign, samples from 2024 shared the same functionality and targeted the same data. Later the call to core.start main loop id url brings us to the core folder with loop. Go and work. Go files. The loop.go file is mainly responsible for receiving and execution of commands from C2, calling submodules which collect sensitive data, and uploading it to the remote server. It contains many functions, eight of which we would like to highlight and

Starting point is 00:11:57 explore in more detail. Function start main loop. This function uses the config submodule to initialize available commands and listen for incoming ones. Below you can find a table with all the commands along with their corresponding codes. A more detailed analysis of the backdoor functionality can be found in this publication. Command name encoded name description command underscore info querg get username host os arch command underscore upload asdf upload and decompress arbitrary archive from c2 to host command underscore download zxcv download stolen data to c2 command underscore osshe llvbcx initialize interactive shell between host and c2 execute arbitrary remote commands command underscore auto r4ys automatically collect sensitive data command underscore wait

Starting point is 00:12:46 ghdj wait for x seconds command underscore exit dgh exit main loop set alive equals false based on the command received from c2 an appropriate function will be called function process info this function will collect basic system information such as username, hostname, OS version, and architecture. It is worth to note that most of the popular info stealers collect way more system information than this malware. Function process upload in this case. Upload represents the process of sending an archive file from the C2 to the infected host, followed by its decompression. It also indicates whether the decompression was successful. Function process download this function is the reverse of the previous one. It performs compression of a

Starting point is 00:13:30 directory with files collected in advance into tar.gz archive. Function processes shell this is a function which a true backdoor must have. It awaits arbitrary command and attempts to execute it. A command may have command line arguments, and the output will be logged directly to AC2. Function process auto. This is the entry point of the stealing flow. This function contains multiple calls to the files located in auto folder. They include grabbers, processors or modifiers of the following data. Keychain. Chrome login data. Chrome cookies. Chrome metamask extension keys permissions etc chrome profile function process wait utility function used to send backdoor into sleeping mode awaiting further commands function process exit this is a utility function used to quit from the main loop

Starting point is 00:14:19 of communication with the c2 implementation of Chrome data auto collection The auto folder contains a set of Go apps. Basic. Go here we can see defined constants with target data to capture. It becomes obvious that the main focus is on Metamask extension. Chrome underscore change underscore pref. Go it kills all currently active Chrome processes and changes certain permissions for the Metamask extension. The JSON configuration suggests a potentially malicious behavior of the extension due to its extensive permissions and manual installation method. The web request permission allows the extension to intercept and modify network requests, enabling data theft or phishing attacks. The clipboard write permission can be used to capture and modify clipboard data,

Starting point is 00:15:04 potentially stealing cryptocurrency addresses or passwords. The clipboard write permission can be used to capture and modify clipboard data, potentially stealing cryptocurrency addresses or passwords. The scriptable underscore host section, which includes file colon slash slash slash asterisk HTTPS colon slash slash asterisk asterisk and HTTP colon slash slash asterisk asterisk, enables script execution on all websites and access to local files, allowing credential theft or unauthorized data exfiltration. The explicit underscore host section grants access to cryptocurrency-related domains, such as https:// infiora.io.asterisk and https slash slash cx metamask io asterisk which could be exploited to manipulate transactions the from underscore web store false field indicates that

Starting point is 00:15:56 the extension was installed manually or through unauthorized means suggesting possible tampering the commands field assigns a keyboard shortcut to activate the extension, potentially triggering hidden malicious behavior. These combined factors indicate the extension could be used for unauthorized access, data theft, or financial fraud. Chrome underscore cookie underscore Darwin. Go used to retrieve password related to Google Chrome from local storage. Gathers keychain data with further storage into gather chain. tar.gz. Chrome underscore cookie underscore other. Go the same but for Linux. Chrome underscore cookie underscore win. Go the same but for Windows. Chrome underscore

Starting point is 00:16:38 gather. Go collects local extension settings, if they exist on the system, and pack it in to gather. Tag. GZ. Conclusions. To conclude our analysis, we must highlight the most important points. After successful password theft, the victim's workstation can be remotely accessed via C2 to steal even more data, including personal files that are stored on the system. It makes this malware way more dangerous than regular stealers that usually run on the system once, collecting only the files that are in their list. Backdoor code is written according to programming best practices, comments are left as is, which leaves an open question as to why the code was not compiled beforehand. Only one cryptocurrency-related extension is being targeted, probably counting on gaining remote access to manually search for other popular crypto tools and sensitive data on the system. The campaign is still ongoing,

Starting point is 00:17:30 indicating that the threat actor's strategy remains effective and does not require immediate changes. However, we believe that similar campaigns may soon emerge with updated infrastructure. I O C D O M A I N S S H A 256 C 2 N N N N N N N. Thank you for listening to this Hackernoon story, read by Artificial Intelligence. Visit hackernoon.com to read, write, learn and publish.

The Good Tech Companies - Cybercrooks Are Using Fake Job Listings to Steal Crypto

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.