|
Jating (OP)
|
 |
February 01, 2024, 07:11:06 AM |
|
There is a new and sophisticated attack coming from cyber criminals. It's complicated because they are not hiding it, but instead taking advantage of legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads. But for now, it's not known how the criminals were able to spread it in the wild because the victims needs to physically click a link from a USB drive. And when it is launched: 1. Executes a PowerShell script "explorer.ps1" 2. it retrieves an intermediary payload, which decrypts into a URL and initiates an infection within the system by downloading 'EMPTYSPACE malware. 3. The intermediary payloads consist of text strings that, when decoded, reveal a URL for downloading the subsequent payload and facilitate communication with a C2C (Command and Control).  Targeted crypto wallets:
 https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malwareSo this might be the right time now not to just be very careful on the USB drives that we are going to used or moving forward. As we have seen, criminals are getting really complex and refine with their attacks that even we can see it, we will never thought that those can be used to attack us. |
|
|
|
|
|
|
The block chain is the main innovation of Bitcoin. It is the
first distributed timestamping system.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
hugeblack
Legendary
 Offline
Activity: 2492
Merit: 3612
Buy/Sell crypto at BestChange
|
|
February 01, 2024, 10:41:38 AM |
|
Although the attack is complex and requires that it be downloaded via USB, its principle is simple, which is to search for a unique prefix such as bc1 and replace it with the Bitcoin address that belongs to the hackers and hope that you are not paying attention to check the address several times.
In short, as long as you move your coins to cold storage and set up the air-gapped system correctly with an open source, well-reviewed wallet and verify the address several times, you are safe.
|
|
|
|
tech30338
Full Member
Offline
Activity: 532
Merit: 125
Defend Bitcoin and its PoW: bitcoincleanup.com
|
|
February 01, 2024, 11:46:31 AM |
|
have anyone watch blackhat movie, almost the same approach where they will need to plug the thumb drive on any computer in the network and wola, it will look and drain the bank account, but in this case it will look for a crypto wallet.
|
|
|
|
BitMaxz
Legendary
Offline
Activity: 3234
Merit: 2943
Block halving is coming.
|
|
February 01, 2024, 12:18:34 PM |
|
I heard about this malware called "explorer.ps1" before last year I think that someone can't able to erase or delete it once he deleted it always popup again it seems that this malware includes a trojan virus that can't easily removed from your system once it infect.
It seems that it only works on Windows PCs with PowerShell but if you are an Ubuntu user or your wallet is in Linux OS it won't gonna infect your PC?
However, it is still safe if we save all assets in offline devices and never plug any USB device for safety purposes. If you want to safely sign any transaction only use a QR code that is generated from your wallet and scan it with your offline device to sign the transaction and scan it again to your online device.
|
|
|
|
ImThour
Copper Member
Legendary
Offline
Activity: 1400
Merit: 1512
Bitcoin Bottom was at $15.4k
|
|
February 01, 2024, 01:30:12 PM |
|
It's not something new, I can say that for sure. There have been script that were able to run on autoplay enabled Windows systems when you inject a USB.
This malware is just designed to target the Crypto Wallets, that's new but malwares would just simply start running on Injecting a USB to any system.
|
|
|
|
|
|
Aanuoluwatofunmi
|
|
February 01, 2024, 04:11:30 PM |
|
This is not new, there have been related attacks in such manners that their targets comes in through the use of a USB device, just that it's has not been as common as other means malware is being introduced for an attack, we must take cognisant of this and avoid being under the threat it causes while attacking others, what we know shouldn't be a means of vulnerability to us anymore.
|
|
|
|
|
Myleschetty
Member
Offline
Activity: 1155
Merit: 77
|
|
February 01, 2024, 04:16:30 PM |
|
Although the attack is complex and requires that it be downloaded via USB, its principle is simple, which is to search for a unique prefix such as bc1 and replace it with the Bitcoin address that belongs to the hackers and hope that you are not paying attention to check the address several times.
In short, as long as you move your coins to cold storage and set up the air-gapped system correctly with an open source, well-reviewed wallet and verify the address several times, you are safe.
Technically, this is just like the clipboard hijacker malware created by attackers to replace the user recipient address with the Bitcoin address that belongs to the attackers. I think we should also practice the use of a Bitcoin wallet QR code. About the air-gappped. What about if the wallet is outdated won't that also lead to another danger in the future? |
|
|
|
|
|
Zaguru12
|
|
February 01, 2024, 04:28:25 PM |
|
Technically, this is just like the clipboard hijacker malware created by attackers to replace the user recipient address with the Bitcoin address that belongs to the attackers.
I think we should also practice the use of a Bitcoin wallet QR code.
About the air-gappped. What about if the wallet is outdated won't that also lead to another danger in the future?
First of all even the QR code itself have its own malwares that changes an address most especially if you created it your self from a scam site but using the default one provided by the wallet is less risk but still you need to confirm the details of the final transaction after signing it and before broadcasting as suggested by hugeblack, as this clears any unnecessary doubts of whether you are affected with malware. As for bitcoin wallet going outdated you can either simply update the firmware or change the hardware wallet. All this aren’t a thing to worry as long as you have your seed phrase back up offline. Once the wallet starts having problem, just import the seed into another wallet and probably generate a new seed phrase and move your coins there if you ever have an iota of doubt that your wallet is compromised. If the seed phrase generated is also not the regular BIP39 that is common and the wallet with the custom seed phrase is hard to get hands to import your seed phrase you can simply use tools that convert seed phrase to private key and then use the private key to sweep that particular wallet |
|
|
|
|
|
|
Jating (OP)
|
|
February 02, 2024, 01:14:51 AM |
|
Ok from the links given, the mode of attack is this, Cybercriminals are sending “decorative gift boxes” to unsuspecting businesses containing Lily Go USB flash drives that are installing ransomware on targeted devices.
The US Federal Bureau of Investigation, FBI, has released a warning to inform enterprises about malicious USB flash drives sent through the mail to spread ransomware and launch cyberattacks.
As per the FBI, the package comes as a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.” https://www.hackread.com/fbi-hackers-mail-malicious-usb-drives-ransomware/So it did start in 2021, targeting Asian countries but still evolving up to this day. It's all about enterprises though that they might have sent this USB. But we just don't know because once it's been propagated, each and everyone of us here could be a victim here. So extreme caution is needed by us. |
|
|
|
hugeblack
Legendary
Offline
Activity: 2492
Merit: 3612
Buy/Sell crypto at BestChange
|
|
February 02, 2024, 08:17:59 AM |
|
About the air-gappped. What about if the wallet is outdated won't that also lead to another danger in the future?
When you want to broadcast a transaction, the online wallet is updated, check the address several times before approving the transaction --> showing it as a QR code --> you can sign it in the air-gapppped system --> get a new QR code --> broadcast it transaction again via online updated wallets, so you do not need For updates. If you want to update, create the air-gappped again, and you can do this every few months. If the seed phrase generated is also not the regular BIP39 that is common and the wallet with the custom seed phrase is hard to get hands to import your seed phrase you can simply use tools that convert seed phrase to private key and then use the private key to sweep that particular wallet
For open source software, the modern version must be compatible with older versions. Therefore, as long as you choose an open source and well-reviewed wallet, there is no need to fear problems with updates. |
|
|
|
|
Dave1
|
|
February 02, 2024, 09:25:51 AM |
|
Ok from the links given, the mode of attack is this, Cybercriminals are sending “decorative gift boxes” to unsuspecting businesses containing Lily Go USB flash drives that are installing ransomware on targeted devices.
The US Federal Bureau of Investigation, FBI, has released a warning to inform enterprises about malicious USB flash drives sent through the mail to spread ransomware and launch cyberattacks.
As per the FBI, the package comes as a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB.” https://www.hackread.com/fbi-hackers-mail-malicious-usb-drives-ransomware/So it did start in 2021, targeting Asian countries but still evolving up to this day. It's all about enterprises though that they might have sent this USB. But we just don't know because once it's been propagated, each and everyone of us here could be a victim here. So extreme caution is needed by us. Doesn't make sense though if you or someone from the enterprise received a USB stricken malware and you will just plug itself on the computer on the network and then click the link. It might sound new though for us as crypto enthusiast, but we all know that we should verify and not trust anyone specially receiving a USB from someone. "Decorative gift boxes"? WTF is that, maybe it just to entice, but I would have second guesses that there is something bad on that USB drive itself. |
| R |
▀▀▀▀▀▀▀██████▄▄
████████████████
▀▀▀▀█████▀▀▀█████
████████▌███▐████
▄▄▄▄█████▄▄▄█████
████████████████
▄▄▄▄▄▄▄██████▀▀ | LLBIT | │ | CRYPTO
FUTURES | | | | | | | │ | 1,000x
LEVERAGE | │ | COMPETITIVE
FEES | │ | INSTANT
EXECUTION | │ | .
TRADE NOW |
|
|
|
|
SamReomo
|
|
February 02, 2024, 09:41:35 AM |
|
But for now, it's not known how the criminals were able to spread it in the wild because the victims needs to physically click a link from a USB drive. And when it is launched:
I'm thinking that who can be those users who click links from the USB drives? I personally never clicked a link via my USB drives and not even save any links on USB drives at all. But, I'm sure that those hackers might have found another way to misguide the users to click links from the USB drives. In my mind the audience can be those who might download torrents from those torrent sharing sites because on most of the content that's downloaded via torrents contain a link and those people who download such torrents might share the files with their friends by copying the folders into the USB drives. And sometimes such users can click those links in hurry. |
|
|
|
alastantiger
Sr. Member
Offline
Activity: 546
Merit: 290
Cashback 15%
|
|
February 02, 2024, 02:49:43 PM |
|
Although the attack is complex and requires that it be downloaded via USB, its principle is simple, which is to search for a unique prefix such as bc1 and replace it with the Bitcoin address that belongs to the hackers and hope that you are not paying attention to check the address several times.
In short, as long as you move your coins to cold storage and set up the air-gapped system correctly with an open source, well-reviewed wallet and verify the address several times, you are safe.
I think the message here is simple If you are a newbie, do not play around with or experiment with stuff that you do not understand because curiosity actually kills the cat. The first and most important thing in cryptocurrency that you should priorities is your security and privacy before experimentation As a newbie, stay with wallets and systems that have been recommended and suggested. Carryout a thorough antivirus scan on any external devices, including USB drives, before connecting them to your computer. This helps detect and eliminate potential malware. |
.
HUGE | | | | | | █▀▀▀▀
█
█
█
█
█
█
█
█
█
█
█
█▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
CASINO & SPORTSBOOK
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█
█
█
█
█
█
█
█
█
█
█
█
▄▄▄▄█ | | |
|
|
|
|
Ultegra134
|
|
February 02, 2024, 09:47:00 PM |
|
I'm not really surprised, hackers keep finding new ways to mess with other people's hard work. I'm yet to understand how is the USB infected in the first place? It was never recommended to install unknown USB sticks, that perfectly makes sense, but if we don't know how it's spreading, how can we defend ourselves from something that we practically have no knowledge of?
A few years ago I was infected with a fake Google Chrome extension, I'm yet to understand how I got infected in the first place, and I was probably one of the first victims, because I couldn't find any background information until many months later. My computer had residue from the virus until last year that I changed my hard drive.
|
| R |
▀▀▀▀▀▀▀██████▄▄
████████████████
▀▀▀▀█████▀▀▀█████
████████▌███▐████
▄▄▄▄█████▄▄▄█████
████████████████
▄▄▄▄▄▄▄██████▀▀ | LLBIT | │ | CRYPTO
FUTURES | | | | | | | │ | 1,000x
LEVERAGE | │ | COMPETITIVE
FEES | │ | INSTANT
EXECUTION | │ | .
TRADE NOW |
|
|
|
|
Jating (OP)
|
|
February 03, 2024, 09:45:36 AM |
|
I'm not really surprised, hackers keep finding new ways to mess with other people's hard work. I'm yet to understand how is the USB infected in the first place? It was never recommended to install unknown USB sticks, that perfectly makes sense, but if we don't know how it's spreading, how can we defend ourselves from something that we practically have no knowledge of?
As I mentioned, it was like a sort of gift, there are enterprise people who received a box with this USB stick and so they thought that it is safe as hackers are really good at hiding their intentions. Maybe they call it a gift so receiver will not get a hint that there is malware inside. A few years ago I was infected with a fake Google Chrome extension, I'm yet to understand how I got infected in the first place, and I was probably one of the first victims, because I couldn't find any background information until many months later. My computer had residue from the virus until last year that I changed my hard drive.
Sorry to hear that, I will assume that you have format it completely so that the residue of the malware or virus is no longer in your system. And as I have said before, not to rub it in, but sometimes we really need to experience being a victim so that the next time we will know what to do. |
|
|
|
|
tabas
|
|
February 03, 2024, 10:12:12 AM |
|
I would never trust that type of file extension. But sadly, despite that many are aware of this simple reminder about not downloading files that are uncommon and unknown. We are not their target and there's always the newbie out there that's not aware of this type of malware that targets USBs and downloads. As I mentioned, it was like a sort of gift, there are enterprise people who received a box with this USB stick and so they thought that it is safe as hackers are really good at hiding their intentions. Maybe they call it a gift so receiver will not get a hint that there is malware inside.
They're going too far with this type of spread. While many are starting to be aware of them and avoids downloading unnecessary files, they're trying to do this trick making them look like they're like santa sending gifts. |
|
|
|
|
Ultegra134
|
|
February 03, 2024, 11:30:41 AM |
|
As I mentioned, it was like a sort of gift, there are enterprise people who received a box with this USB stick and so they thought that it is safe as hackers are really good at hiding their intentions. Maybe they call it a gift so receiver will not get a hint that there is malware inside.
Oh right, I didn't notice it a few replies before mine. It makes sense; that's why you should avoid installing any unknown USB device. I'd never install something that came out of an unknown box. However, wouldn't it be possible for such a virus to be downloaded through a torrent and infiltrate any USB devices that may be installed on your computer? I believe that the possibilities are endless when it comes to hacking. Sorry to hear that, I will assume that you have format it completely so that the residue of the malware or virus is no longer in your system. And as I have said before, not to rub it in, but sometimes we really need to experience being a victim so that the next time we will know what to do.
To be honest, I never fully formatted my computer. The malware's residue was eventually caught by Malwarebytes; it was completely undetected when I was first infected. I found it myself on Chrome's extension page. That, along with some manual cleaning, completely removed any leftover files; at least I'm hoping so. I've now installed a second SSD hard drive and run a fresh copy of Windows there. My wallet was isolated on the previous drive. And yes, it's true. We always believe that it'll never occur to us, but then it suddenly does. I've no idea how it got installed in the first place, but I've got to admit that I wasn't always the most careful user; it wasn't really wise to download torrents while having a Bitcoin wallet installed at the same time. |
| R |
▀▀▀▀▀▀▀██████▄▄
████████████████
▀▀▀▀█████▀▀▀█████
████████▌███▐████
▄▄▄▄█████▄▄▄█████
████████████████
▄▄▄▄▄▄▄██████▀▀ | LLBIT | │ | CRYPTO
FUTURES | | | | | | | │ | 1,000x
LEVERAGE | │ | COMPETITIVE
FEES | │ | INSTANT
EXECUTION | │ | .
TRADE NOW |
|
|
|
|
