A newly discovered campaign called GreedyBear leverages over 150 malicious extensions on the Firefox market, designed to steal more than $1 million in digital assets by impersonating a popular cryptocurrency wallet.
According to Tuval Admoni, a security researcher at KOI, published browser add-on masquerades such as Metamask, Tronlink, Exodus and Rabby Wallet, are
What is noteworthy is that threat actors use techniques cybersecurity companies call extended hollow, to be used by Mozilla to bypass safeguards that exploit user trusts. It is worth noting that several aspects of the campaign were first documented last week by security researcher Lukasz Olejnik.
“Instead of trying to steal malicious extensions past the initial review, we’ll first build a legal expansion portfolio and then create weapons when no one is looking,” Admoni said in a report released Thursday.
To achieve this, the attacker first creates a publisher account in the market, uploads harmless extensions with real features, avoiding initial reviews, posting fake positive reviews, creating a credibility illusion, and modifying the inside with malicious features.
The fake extension is designed to capture wallet credentials entered by unsuspecting users and remove them to an attacker control server. We also collect the victim’s IP address for tracking purposes.
With similar goals in mind, the campaign is rated as an extension of a previous iteration called Foxy Wallet, which includes threat actors that publish more than 40 malicious browser extensions for Mozilla Firefox. The latest spikes in the number of expansions indicate an increase in the scale of the operation.
Fake wallet cryptocurrency emissions attacks are augmented by campaigns that distribute malicious executables across various Russian sites, stomping cracks and pirated software, leading to information theft and deployment of ransomware.
The actors of GreedyBear discover the setup of fraudulent sites that come as cryptocurrency products and services, such as wallet repair tools, and users can split wallet credentials or payment details, leading to credentials and financial fraud.
Koi Security said that three attack verticals can be linked to a single threat actor based on the fact that all domains used in these efforts point to a single IP address: 185.208.156[.]66 acts as a command and control (C2) server for data collection and management.
There is evidence to suggest that extension-related attacks diverge to target other browser markets. This is based on the discovery of a Google Chrome extension that uses the same C2 server and underlying logic to steal credentials.
Worse, the artifact analysis reveals indications that it may have been created using AI-powered tools. This highlights the increasing misuse of AI systems by threat actors to enable attacks at scale and at speed.
“This variety shows that the group is not deploying a single tool set, but rather operating a wide range of malware distribution pipelines that allow them to change tactics when needed,” Admoni said.
“The difference then is scale and scope. This evolved into a multi-platform credential and asset theft campaign backed by hundreds of malware samples and fraud infrastructure.”
Ethereum Drone Posses as a trading bot to steal crypto
This disclosure comes when Sentinel Laws flag a widespread, ongoing cryptocurrency fraud that involves distributing malicious smart contracts disguised as trading bots to discharge user wallets. The fraudulent Ethereum Droner scheme, which has been active since early 2024, is estimated to have already acquired more than $900,000 threat actors in stolen profits.
“The scams are being sold through YouTube videos that explain the nature of Crypto Trading Bots and how to deploy smart contracts to the Remix Solidity Compiler Platform, a web-based integrated development environment (IDE) for web3 projects,” said researcher Alex Delamotte. “The video description shares a link to an external site that hosts weaponized smart contract codes.”
The video is said to be AI-generated and is published by senior accounts who post cryptocurrency news from other sources as playlists to build legality. The video also features overwhelmingly positive comments, suggesting that threat actors are actively curating the comment section and removing negative feedback.
One of the YouTube accounts promoting fraud was created in October 2022. This shows that the scammers have slowly and steadily increased the account’s reliability over the long term.
The attack moves to the next phase when the victim deploys a smart contract. The victim is then instructed to send the ETH to a new contract. This routes funds to an obfuscated threat actor-controlled wallet.
“The combination of AI-generated content and sellable YouTube accounts means that actors with discreet resources can obtain a YouTube account that deems the algorithm “established” and weaponizes the account and posts customized content under the false pretext of legitimacy,” Delamott said.
Source link
