In itslust for stealing cryptocurrency and sensitive information, North Korean hackers are disguising themselves as remote IT workers, recruiters, and even venture capitalists.
Read more in my article on the Hot for Security blog.
Category: cryptocurrency
Perfectl in an impressive piece of malware:
The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33246, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.
The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.
Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:
- Stopping activities that are easy to detect when a new user logs in
- Using a Unix socket over TOR for external communications
- Deleting its installation binary after execution and running as a background service thereafter
- Manipulating the Linux process pcap_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
- Suppressing mesg errors to avoid any visible warnings during execution.
The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.
Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their Internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.
Something this complex and impressive implies that a government is behind this. North Korea is the government we know that hacks cryptocurrency in order to fund its operations. But this feels too complex for that. I have no idea how to attribute this.
Two men are accused of stealing almost a quarter of a billion dollars from one person's cryptocurrency wallet, but why on earth would they be handing out handbags to strangers? And social media comes under the spotlight once more, as we ask if you are delving into misinformation in your most private moments...
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Two men have been arrested by the FBI and charged in relation to their alleged involvement in a scam which saw almost a quarter of a billion dollars worth of cryptocurrency stolen from a single victim.
Two men arrested one month after $230 million of cryptocurrency stolen from a single victim.
The men were allegedly less than careful hiding their behaviour - spending $500,000 a night in nightclubs, buying hundreds of bottles of champagne, gifting designer handbags (and even a pink Lamborgini) to random women they bumped into on a night out...
Read more in my article on the Hot for Security blog.
Transport for London (TfL) suffers a cybersecurity incident and tells its 30,000 staff they will all have to their identities verified... in-person. Who might have been behind the attack and why? Meanwhile, Donald Trump's curious relationship with cryptocurrency is explored.
All this and Demi Moore is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Binance, the cryptocurrency exchange platform, has issued a warning regarding Clipper Malware, a threat that enables attackers to manipulate users’ wallet addresses. This can lead to the unauthorized diversion of digital funds.
This alert primarily affects users of various cryptocurrencies, particularly Bitcoin, which has recently experienced a decline in value following the second assassination attempt on former U.S. President Donald Trump.
Clipper Malware, also known as ClipBankers, was first identified in November 2022. It monitors victims’ clipboard activities, tracking what they copy, edit, and paste. Once attackers gain control of the clipboard, they can alter copied text, including cryptocurrency addresses, often replacing them with those of the attackers.
With this control, attackers can redirect funds to rogue wallets, effectively hijacking transactions meant for legitimate addresses. Microsoft has classified this type of malware as “Cryware,” highlighting its ability to replace clipboard contents.
A 2023 survey by the FBI estimated that cryptocurrency-related losses reached $5.6 billion.
Trade analysts have suggested that banning digital wallets and cryptocurrencies could reduce cybercrime by disrupting the operations of those spreading ransomware and malware. However, this approach is complicated by the decentralized nature of cryptocurrencies, which lack a governing authority to validate transactions. As a result, implementing such bans presents significant challenges for countries and law enforcement agencies.
The post Binance issues malware threat to Bitcoins users appeared first on Cybersecurity Insiders.
According to Microsoft researchers, North Korean hackers have been using a Chrome zero-day exploit to steal cryptocurrency.
Hackers who seized control of the official Instagram account of McDonald's claim that they managed to steal US $700,000 from unsuspecting investors by promoting a fake cryptocurrency.
Read more in my article on the Hot for Security blog.
Scammers are once again using deepfake technology to dupe unwary internet Facebook and Instagram users into making unwise cryptocurrency investments.
AI-generated videos promoting fraudulent cryptocurrency trading platform Immediate Edge have used deepfake footage of British Prime Minister Sir Keir Starmer and His Royal Highness Prince William to reach an estimated 890,000 people via Meta's social media platforms.
Read more in my article on the Hot for Security blog.
This is pretty horrific:
…a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home St. Felix and one of his accomplices broke into before physically assaulting the two victims—both in their seventies—and forcing them to transfer more than $150,000 in Bitcoin and Ether to the thieves’ crypto wallets.
I think cryptocurrencies are more susceptible to this kind of real-world attack because they are largely outside the conventional banking system. Yet another reason to stay away from them.