A new malware strain was discovered Thursday that could steal data beyond antivirus checks from crypto wallets on Windows, Linux and MacOS systems.
Called ModStealer, the package was delivered through fake job recruiter ads targeted at developers, remaining undetected by the major antivirus engines for almost a month upon disclosure.
The disclosure was made by security company Mosyle, according to the first one Report from 9to5mac. Decryption I reached out to Mosil to learn more.
According to Mosyle, distribution via fake job recruiter ads was an intentional tactic. This is because it is designed to contact developers who are likely already installed a Node.js environment.
ModStealer “will avoid detection by mainstream anti-virus solutions and pose great risks to the broader digital asset ecosystem,” said ShānZhang, chief information security officer at blockchain security firm SlowMist. Decryption. “Unlike traditional steelers, ModStealer stands out for its multi-platform support and stealth “zero-detect” execution chain. ”
When executed, the malware scans browser-based Crypto wallet extensions, system credentials, and digital certificates.
“Exclude data to a remote C2 server,” Zhang explained. A C2, or “Command and Control” server, is a centralized system used by cybercriminals to manage and control compromised devices in a network, and acts as an operational hub for malware and cyberattacks.
On Apple hardware running MACO, malware is automatically configured via a “persistent method” and runs automatically every time the computer starts by impersonating itself as a background helper program.
The setup continues to run quietly without the user noticing. Indications of infection include a secret file called “.sysupdater.dat” for each disclosure and a connection to a suspicious server.
“Although it is common on its own, these persistent methods and strong obfuscation make ModStealer resilient against signature-based security tools,” says Zhang.
The discovery of ModStaler comes just after the relevant warning from ledger CTO Charles Guillemet. Disclosure On Tuesday, the attackers attempted to compromise NPM developer accounts and spread malicious code that could quietly replace crypto wallet addresses during transactions, putting funds at risk across multiple blockchains.
The attack was detected early and failed, but Guillemet later noted that the compromised package was obsessed with Ethereum, Solana and other chains.
“If your funds are sitting in a wallet or exchange of software, you’re one code execution from losing everything.” Gillemet Tweet Hours after his first warning.
When asked about the possible impact of the new malware, Zhang warned that ModStealer would raise “a direct threat to crypto users and platforms.”
For end users, “private keys, seed phrases, and exchange API keys can compromise and lead to direct losses of assets,” Zhang said, adding that “large theft of browser extension wallet data can cause large chain exploits, eroding and amplifying supply chain risks.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
