In short
- The Russian hacking group Greedybear has scaled up its activities and stolen $ 1 million in the last five weeks.
- Koi Security reported that the group ‘Crypto theft on an industrial scale has re-defined’, with the help of 150 armed Firefox extensions.
- This specific trick includes making fake versions of much downloaded crypto portfolios such as metamask, Exodus, Rabby Wallet and Tronlink.
The Russian hacking group Greedybear has scaled up its activities in recent months, with 150 “armed Firefox extensions” to focus on international and English victims, according to Koi Security research.
Publish the results of his research in a blog, in the US and Israel Koi reported That the group ‘crypto-theft has re-defined on an industrial scale’, with the help of 150 armed Firefox extensions, nearly 500 malignant files and ‘dozens’ phishing websites to steal more than $ 1 million in the last five weeks.
Spend against DecryptKoi Cto Idan Dardikman said that the Firefox campaign is “by far” its most lucrative attack vector, which “she received most of the $ 1 million from herself”.
This specific trick includes making fake versions of many downloaded crypto portfolios such as metamask, Exodus, Rabby Wallet and Tronlink.
Greedybear agents use expansion hollowing to bypass safety measures on the market, in the first instance to upload non-harmful versions of the extensions before the apps are updated with malignant code.
They also post fake reviews of the extensions, which gives the false impression of trust and reliability.
But once downloaded, the malignant extensions steal wallet references, which in turn are used to steal crypto
Not only has greed been able to steal $ 1 million in just over a month with the help of this method, but they have strongly staged the scale of their activities, with an earlier campaign –active between April and July of this year– Exceptions only 40 extensions.
The other primary attack method of the group includes nearly 500 malignant Windows -executable files that it has added to Russian websites that distribute illegal or re -packaged software.
Such executable files include reference stocks, ransomware software and Trojans, which suggests Koi protection, gives “a wide malware distribution pipeline, which is able to shift tactics if needed.”
The group has also made dozens of phishing websites that pretend to offer legitimate crypto-related services, such as digital portfolios, hardware devices or portfolio repair services.
GreedyBear uses these websites to persuade potential victims to enter personal data and wallet references, which then uses to steal funds.
“It is worth noting that the Firefox campaign focused on more global/English-language victims, while the evil-feasible files focused on more Russian-speaking victims,” explains Idan Dardikman Decrypt.
Despite the variety of attack methods and of goals, Koi also reports that “almost all” greedy attacks domains go back to a single IP address: 185.208.156.66.
According to the report, this address acts as a central hub for coordination and collection, so that greedy hackers can “streamline operations”.
Dardikman said that a single IP address “means tight centralized check” instead of a distributed network.
“This suggests organized cyber crime instead of state sponsorship -government activities, usually use distributed infrastructure to prevent individual failure points,” he added. “Probably Russian criminal groups that work for profit, not for the direction of the state.”
Dardikman said that Greedybear will probably continue his activities and offered various tips to avoid their growing reach.
“Only install extensions of verified developers with a long history,” he said, adding that users should always avoid illegal software sites.
He also advised to use only official wallet software, and not browser content, although he advised to leave software portfolios if you are a serious long-term investor.
He said, “Use hardware portfolios for important crypto companies, but only buy from official manufacturer websites -Greidedybear makes fake -hardware portion sites to steal payment information and references.”
Daily debrief Newsletter
Start every day with the top news stories at the moment, plus original functions, a podcast, videos and more.