The Russian hacker group GreedyBear has conducted a sophisticated cryptocurrency attack campaign through fake Firefox extensions and malware to steal over 1 million USD.
They use the 'Extension Hollowing' technique to bypass app store censorship, combined with malware distribution through torrent software-sharing websites, increasing the effectiveness of appropriating digital assets.
MAIN CONTENT
GreedyBear exploited 150 fake Firefox extensions and 500 malware files on Windows to steal cryptocurrencies.
The Extension Hollowing method helps this group to break the security mechanisms of the Firefox extension store.
Spreading malware via torrent software-sharing websites increases the risk of safety for users.
What methods has the GreedyBear group used to steal cryptocurrencies?
GreedyBear deployed 150 fake Firefox extensions along with nearly 500 malicious executable files to appropriate over 1 million USD in cryptocurrency.
The primary form is to create fake extensions mimicking popular cryptocurrency wallets like MetaMask, Exodus, Rabby Wallet, and TronLink. At the same time, they spread files containing malware on unofficial software distribution websites in Russia, including information-stealing malware, ransomware, and Trojans.
This method not only exploits users' trust in familiar extensions but also takes advantage of downloading software from unknown sources, exposing the wallet and asset information.
What is Extension Hollowing and how does it assist the attack group?
Extension Hollowing is a technique used by hacker groups to bypass the censorship system on the Firefox extension store by uploading an initially harmless version of the extension and then updating it with malware.
This technique causes security check systems to fail to detect malicious behaviors from the outset. With this strategy, the GreedyBear group successfully seized the majority of profits exceeding 1 million USD from attacks.
Exploiting Extension Hollowing to update malware to fool the censorship system has created a very effective attack vector, especially in stealing users' wallet information.
Idan Dardikman, CTO of Koi Security, 2024
What are the consequences and impacts of this attack campaign?
This campaign has led to millions of USD being stolen, undermining users' trust in wallet applications and software downloaded from the internet, especially in markets that heavily use counterfeit products and pirated software.
Additionally, the emergence of malware such as ransomware and trojans not only causes financial damage but also increases the risk of personal information leaks, impacting the entire cryptocurrency ecosystem.
Users need to be vigilant and only download extensions from official sources, limiting the use of unverified software to protect their digital assets.
What anti-cryptocurrency user measures can be applied?
Users should carefully check the developer's information and actual reviews on the extension store. Only install extensions that are frequently updated with reputable feedback from the community.
Using cold wallets or multi-layered security solutions (2FA, offline private keys) can also help reduce the risk of information theft via malicious extensions or malware.
Users always need to be vigilant when downloading extensions or software and apply multi-layered protection measures for their cryptocurrency wallets.
Idan Dardikman, CTO of Koi Security, 2024
Frequently Asked Questions
What kind of hacker group is GreedyBear?
GreedyBear is a hacker group from Russia, known for many cryptocurrency attack campaigns through fake extensions and malware aimed at stealing digital assets.
How does Extension Hollowing work?
This is a technique for submitting harmless extensions to the store, then updating them with malware to deceive the censorship, thereby spreading the malware.
How to recognize fake extensions?
Users should consider the developer, evaluate community feedback, and avoid extensions with few downloads or unusual reviews.
How does malware on Windows affect users?
Software containing malware can steal personal data, wallet information, and keys, causing significant asset damage.
What should be done if there is suspicion of an attack via an extension?
You should immediately remove the extension, change passwords, check your digital wallet thoroughly, and contact a security expert for assistance.
Source: https://tintucbitcoin.com/greedybear-danh-cap-1-trieu-usd-crypto/
Thank you for reading this article!
Please Like, Comment, and Follow TinTucBitcoin to stay updated with the latest news about the cryptocurrency market and not miss any important information!