-
Approach the job seeker on LinkedIn and download the repository called coinbase2024/voting-dapp from Bitbucket in the name of an assignment.
-
Malware is hidden in the test file of one of these codes, so when the developer runs the test case, the malware is activated.
-
The malicious code called BeaverTail, which is activated at this time, is downloaded from NPM based on node.js. It targets cryptocurrency wallet extension programs of web browsers such as Chrome, collects wallet data, and transmits it to the server.
Targeted browser extension ID, e.g.
- nkbihfbeogaeaoehlefnkodbefgpgknn → MetaMask
- fhbohimaelbohpjbbldcngcnapndodjp → BNB Chain Wallet
- ibnejdfjmmkpcnlpebklmnkoeoihofec → TronLink
-
Afterwards, BeaverTail downloads and executes a python-based malware called InvisibleFerret. On Linux, use the default installed python, and on Windows, download and use python as a tar file.
-
InvisibleFerret steals passwords and credit card information stored in major browsers such as Chrome, Brave, and Yandex, and enables remote control such as keylogging, terminal command execution, clipboard and file upload.
-
What is important to note is that this series of processes is simple but elaborately designed.
- Started with social engineering techniques targeting the desperate hearts of job seekers on LinkedIn.
- It hides malicious code using the NPM module and targets the web browser's cryptocurrency wallet extension, but it chose the route that is easy to install and easy to target.
- Afterwards, they downloaded python-based malware and attempted keylogging and remote control in more earnest.
