From 9 to 13 Different Wallets: Fake Web3 Job Recruiters Update Their Crypto-Stealing Malware
Hack
North Korea
Security
The novel variant of the malware targets both Windows and macOS. It is now capable of stealing cryptocurrency from 13 different wallets.
Last updated:
October 9, 2024 09:58 EDT
Journalist
Sead Fadilpašić
Journalist
Sead Fadilpašić
About Author
Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served…
Author Profile
Share
Copied
Last updated:
October 9, 2024 09:58 EDT
Why Trust Cryptonews
With over a decade of crypto coverage, Cryptonews delivers authoritative insights you can rely on. Our veteran team of journalists and analysts combines in-depth market knowledge with hands-on testing of blockchain technologies. We maintain strict
editorial standards
, ensuring factual accuracy and impartial reporting on both established cryptocurrencies and emerging projects. Our longstanding presence in the industry and commitment to quality journalism make Cryptonews a trusted source in the dynamic world of digital assets.
Read more about Cryptonews
Fake Web3 job recruiters associated with
North Korea
target job-seekers online, tricking them into downloading malware that masquerades as a video call application – stealing their crypto.
According
to the latest report from cyber risk team
Unit 42
by major cybersecurity company Palo Alto, the novel variant of a previously discovered malware targets both Windows and macOS.
Notably, it is now capable of stealing cryptocurrency from 13 different wallets, including MetaMask, BNB Chain, Exodus, Phantom, TronLink, Crypto.com, and more.
The researchers argue that these are North Korean threat actors who are likely financially motivated, working to support the Democratic People’s Republic of Korea (DPRK) regime.
How It Works
The attackers target tech industry job seekers’ devices.
They contact software developers through job search platforms and invite them to an online interview.
The attacker will then work to convince the developer to download and install malware presented as a video chat app.
Once the victim executes the malicious code, it starts working in the background to collect data and digital funds.
Let’s check out some of the many examples.
In June 2024, a Medium article
warned
about fake recruiters on GitHub and LinkedIn Premium. Specifically, author Heiner named “Onder Kayabasi” as the account that contacted the writer over LinkedIn.
The LinkedIn account is no longer available, but there is a similar
Twitter account
that is still live at the time of writing.
Source: Onder Kayabasi, Twitter
These social engineering and fraud campaigns “aim to infect, steal information and cryptocurrencies from people, particularly developer accounts in the cryptocurrency, blockchain, cybersecurity, and online gambling domains,” Heiner wrote.
Full Stack Software Engineer Richard Chang
had already reported
the account as a fake recruiter. He intentionally ran the code in a virtual environment “because you should NEVER run random code that you do not understand from a suspicious party.”
Kayabasi “was not happy,” Chang wrote.
Though indeed “evil,” the code was “surprisingly sophisticated,” he added.
Source: Richard Chang, LinkedIn
From 9 to 13 Wallets
Unit 42 has been tracking activity by these actors for a while now, first writing about this aptly named “Contagious Interview campaign” in November 2023.
Since then, however, the activities continued with newer iterations.
Specifically, the researchers noted code updates to two pieces of malware: the BeaverTail downloader and the InvisibleFerret backdoor.
BeaverTail, downloader and infostealer, is the initial malware. It executes its malicious code in the background without any visible indicators.
The newer version of the BeaverTail malware has been introduced as early as July 2024.
The attackers used the cross-platform framework called Qt, which allows developers to create cross-platform applications.
This means that the attackers can use the same source code to compile applications for Windows and macOS simultaneously, the report explained.
Additional features in this new Qt version of BeaverTail include stealing browser passwords in macOS and stealing cryptocurrency wallets in both macOS and Windows.
“This last feature is consistent with the ongoing financial interests of North Korean threat actors,” said the report.
Source: Unit 42
Importantly, this newer Qt version targets 13 different crypto wallet browser extensions, compared to the previously recorded 9 wallets.
“Of the current 13 extensions, the authors added 5 for new wallets, and removed one,” researchers said.
These include MetaMask, BNB Chain, Exodus, Phantom, TronLink, Crypto.com, Coin98, Kaikas, Rabby, and Argent X – Starknet.
Source: Unit 42
After this step, the attackers will attempt to execute the InvisibleFerret backdoor. Its components include a fingerprint, remote control, and information stealer, as well as a browser stealer.
This move allows the attackers to maintain control of the device and exfiltrate sensitive data.
MalwareHunterTeam
Another major risk, according to the report, is the potential infiltration of the companies that employ the targeted job seekers.
“A successful infection on a company-owned endpoint could result in collection and exfiltration of sensitive information,” they stressed.
Unit 42 advises individuals and organizations to be aware of these advanced social engineering campaigns.
Therefore, in its report, Unit 42 offers protection and mitigation measures.
Follow us on Google News