According to a survey by KOI Security, Russian hacking group GreedyBear has expanded its business in recent months using 150 “weaponized Firefox extensions” to target international and English-speaking victims.
The results of the study are blogged, based in the US and Israel Koi reported The group has “redefined industrial-scale crypto theft” using 150 weaponized Firefox extensions, nearly 500 malicious executables and “dozens” of phishing websites to steal more than $1 million within the last five weeks.
I’ll talk DecryptionKOI CTO Idan Dardikman said the Firefox campaign is “a lot more” the most profitable attack vector, with “most of the $1 million being reported naturally.”
This particular trick involves creating fake versions of widely downloaded crypto wallets, such as Metamask, Exodus, Laby Wallet, and Tronlink.
GreeDyBear operatives use extended hollow to bypass market security measures before updating the app with malicious code to bypass market security measures, and initially upload non-malicious versions of the extension.
They also post fake reviews of extensions, giving the false impression of trust and reliability.
However, once downloaded, malicious extensions are used to steal wallet credentials and cryptography
Not only did GreedyBear have been able to steal $1 million for over a month using this method, but it also significantly increased its business size in its previous campaign.Active between April and July this year– Only 40 extensions will be added.
Other major attack methods for the group include around 500 malicious Windows executables, which have been added to Russian websites that distribute Pirates or repackaged software.
Such executables include stolen credentials, ransomware software, and trojan horses. This suggests that KOI security represents a “wide malware delivery pipeline that allows you to change tactics when needed.”
The group has also created dozens of phishing websites. It pretends to provide legitimate crypto-related services, such as digital wallets, hardware devices, and wallet repair services.
GreedyBear uses these websites to share potential victims, enter personal data and wallet credentials, and use it to steal funds.
“It’s worth mentioning that while the Firefox campaign targets more global/English-speaking victims, the malicious executable has targeted more Russian-speaking victims,” explains Idan Dardikman. Decryption.
Despite the various attack methods and targets, KOI reports that “almost all” greedy attack domains link to 185.208.156.66, where they link to a single IP address.
According to the report, the address serves as a central hub for coordination and collection, allowing greedy hackers to “rationalize operations.”
Dardikman said a single IP address “means strict centralized control” rather than a distributed network.
“This suggests organized cybercrime rather than state sponsorship. Government operations usually suggest using distributed infrastructure to avoid a single point of failure,” he added. “Perhaps Russian crime groups operating for profit, not for the direction of the state.”
Dardikman said Greedybear is likely to continue operations and provided some tips to avoid expanding reach.
“We only install extensions from verified developers with a long history,” he said, adding that users should always avoid pirated software sites.
He also recommended that you only use official wallet software, not browser extensions.
He states: “We use hardware wallets for important crypto holdings, but only purchases from the official manufacturer’s website. GreedyBear creates fake hardware wallet sites to steal payment information and qualifications.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
