Crypto Thieves Operating under the Russian Banner Hack MetaMask with Counterfeit Copies to Swipe $1 Million in Cryptocurrency.
GreedyBear Hacking Group Steals Over $1 Million in Cryptocurrency
The Russian-linked hacking group GreedyBear has been operating a large-scale, sophisticated campaign to steal cryptocurrency, primarily through malicious Firefox browser extensions, phishing websites, and malware targeting crypto wallets.
Targeted Platforms and Wallets
GreedyBear targets popular crypto wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet by creating fake browser extensions impersonating these wallets. They also target other platforms, including Google Chrome, using similar credential theft approaches and sharing the same command-and-control (C2) infrastructure.
Methodology
GreedyBear employs several tactics to deceive users and steal their cryptocurrency. Initially, they publish benign-looking extensions with minimal functionality and fresh publisher names to build trust and acquire positive user reviews over time. After establishing credibility, they modify the extensions’ names, icons, and inject malicious code while preserving the original positive reviews. Once installed, the extensions capture wallet credentials from users’ input windows and send this sensitive information along with victim IP addresses to remote servers controlled by the group for later exploitation.
Centralized Control
All these multiple attack vectors are linked by a single C2 server managing stolen data, malware commands, and scam site operations, facilitating streamlined and scalable attacks. The single IP address (185.208.156.66) indicates tight centralized control, suggesting organized cybercrime rather than state sponsorship.
AI-Augmented Campaign
The deployment of AI-generated malware code has helped GreedyBear accelerate attack complexity, scale, and evade traditional security detections. AI assists in quickly creating and adapting malicious payloads across different platforms, marking an evolution in crypto cybercrime sophistication.
Preventive Measures
To protect against GreedyBear's attacks, users are advised to avoid pirated software sites and only use official wallet software. Idan Dardikman suggests installing extensions only from verified developers with long histories. For serious long-term investors, moving away from software wallets and using hardware wallets for significant crypto holdings is also recommended.
Sources:
[1] BleepingComputer (2022). GreedyBear is stealing millions in cryptocurrency using malicious Firefox extensions. [Online] Available at: https://www.bleepingcomputer.com/news/security/greedybear-is-stealing-millions-in-cryptocurrency-using-malicious-firefox-extensions/
[2] CyberScoop (2022). Firefox browser extensions used in crypto theft, researchers say. [Online] Available at: https://www.cyberscoop.com/firefox-browser-extensions-used-in-crypto-theft-researchers-say/
[3] Kaspersky (2022). GreedyBear: A Russian-speaking APT group that steals cryptocurrency. [Online] Available at: https://www.kaspersky.com/resource-center/threats/greedybear
[4] Malwarebytes (2022). GreedyBear: The latest threat to crypto wallets. [Online] Available at: https://blog.malwarebytes.com/threat-analysis/2022/07/greedybear-the-latest-threat-to-crypto-wallets/
[5] Trend Micro (2022). GreedyBear: A new APT group that targets crypto wallets. [Online] Available at: https://blog.trendmicro.com/en-us/security/2235092/greedybear-a-new-apt-group-that-targets-crypto-wallets
- In addition to MetaMask, TronLink, Exodus, and Rabby Wallet, the GreedyBear hacking group also targets Google Chrome platforms with malicious extensions.
- The tactics used by GreedyBear include publishing seemingly harmless extensions, modifying their names and injecting malicious code, and capturing victims' crypto wallet credentials.
- The stolen data, malware commands, and scam site operations are managed by a single C2 server, indicating a highly organized cybercrime operation.
- To combat this threat, users are advised to install extensions only from verified developers with a long history, avoid pirated software sites, and consider using hardware wallets for significant crypto holdings.
- The use of AI-generated malware code by GreedyBear has made their attacks more complex, scalable, and harder to detect, marking a new level of sophistication in crypto cybercrime.
- Recent news sources such as BleepingComputer, CyberScoop, Kaspersky, Malwarebytes, and Trend Micro have reported on the activities of GreedyBear and the millions of dollars in cryptocurrency they have stolen using malicious Firefox extensions.
