According to PANews, a report by Koi Security reveals that the Russian hacker group GreedyBear has stolen over $1 million in cryptocurrency over the past five weeks. The group utilized 150 weaponized Firefox extensions, nearly 500 malicious executable files, and numerous phishing websites to carry out their operations.
Koi Security's Chief Technology Officer, Idan Dardikman, stated that the Firefox extension attacks have been the most lucrative method for the hackers so far, contributing significantly to the $1 million theft. This strategy involved creating fake versions of popular cryptocurrency wallets like MetaMask, Exodus, Rabby Wallet, and TronLink. The hackers employed a technique known as Extension Hollowing to bypass market security measures, initially uploading non-malicious versions of the extensions and later updating them with harmful code.
To further deceive users, the group posted fake reviews of the extensions, creating a false sense of trust and reliability. Once downloaded, these malicious extensions would steal wallet credentials, enabling the hackers to access and steal cryptocurrency.
Another major tactic used by the group involved nearly 500 malicious Windows executable files, which were distributed on Russian websites offering pirated or repackaged software. These executables included credential stealers, ransomware, and trojans, further expanding the group's reach and impact.
