As part of our remediation work from the recent security incident, we wanted to share some details of the malware used and our findings from analyzing it.
This is a companion article to the post-mortem report published regarding the 7 August 2024 security incident.
Understanding what malware or attack techniques were used is critical in understanding the broader threat to the business and our information. It forms a key part of any incident response plan.
We have already published a post-mortem report regarding the 7 August 2024 incident, which can be read here.
In this write-up, we’ll share some context of the attack, details of the actual malware used, information on how it operates, and details on how to protect against these attacks.
So, let’s dive in.
The Attack Vector
The attackers approached a staff member via LinkedIn and offered part-time consulting work to review some smart contract code.
This isn’t a one-off — many members of our team and the wider Web3 industry see these approaches regularly. They are successful because they are well-written and convincing and because being approached for work via LinkedIn is a normal part of everyone’s working life.
The attackers use either a compromised LinkedIn account or a fake one with content scraping from valid accounts. Many of you will have noticed the new “LinkedIn Verified” badges appearing next to people’s names on LinkedIn. This is a response by LinkedIn to this growth in fake accounts: users can verify their identity with government-issued IDs.
This could be better. An account can be verified, but it could still be compromised or stolen later. However, LinkedIn’s initial response to the issue is good.
Typically, attackers message their intended victim with an offer of work — a small consultancy to review some code (e.g., a smart contract, a wallet) or strategy or project documentation. They’ll offer a tempting hourly rate, usually $100 to $150.
Initially, the attacker will push to attend an online meeting. This will come with some time urgency. For example, the CTO only has a slot to speak now, or their engineering team can only meet today. They will share a link to an online meeting, which is usually either a phishing URL or also contains malware.
If pushed for more work details or once the “meeting” invite has been clicked on, the attacker will share the link to the real malware. Again, this could be a phishing site or an infected document, but it is often a link to a GitHub repository with some code used in a skills test.
In this case, the victim was directed to a GitHub repository with a sample online game. The hook was that the attackers planned to implement a smart contract backend to the game as part of a monetization process for game assets.
The victim cloned the repository locally, following the code build instructions, and (unwittingly) executed the malware.
The Malware Itself
We identified the malware as BeaverTail, a Javascript-based malware hidden inside Node Package Manager (NPM) packages.
When the victim builds and executes the code, it starts a local webserver to allow the user to interact with the ‘game’. The code binds directly to port 80, forcing users to grant elevated privileges to be executed properly. Once the local server runs, it communicates to a command and control (C&C) server.
In this instance, the malware connected to an IP that resolved to Colocation America, a company claiming to provide hosting services in Las Vegas. In reality, the IP is part of a block owned by Amaze Internet Services, based in India, which is a frequent host for C&C nodes, droppers, and phishing sites.
When the malware verifies, it can connect to the C&C server and fingerprint the browser, looking for specific combinations of browser and wallet extensions and saved credit card details. It can decrypt stored browser credentials and upload wallet credentials and any credit card data saved in the browser.
BeaverTail will also download and deploy a remote access back door called InvisibleFerret. InvisibleFerret will fingerprint the infected machine and upload the data to the C&C server.
Although not observed in this instance, InvisibleFerret starts a system-wide keylogger that captures all keyboard, mouse, and clipboard data uploaded on request from the C&C server. It can also download remote control software (AnyDesk) and collect and upload data from the victim’s machine.
In our instance, BeaverTail deployed and stole the wallet credentials, which the attackers then leveraged to take control of the smart contract. Multi-factor authentication (MFA) was implemented on the victim’s accounts so they could not be compromised with the stolen credentials. As a further precaution, their password was changed, and all sessions were terminated, requiring them to re-auth from a secure machine.
How to Protect Yourself
We’ll tackle some mitigations you can use for protection at each attack stage.
- LinkedIn: Review the full profile of the user messaging you. Does their employment timeline make sense? What is their career progression? Is their role related to Web3/crypto?
- Phishing and malicious websites: Install and use up-to-date anti-malware and browser plugins. Enable the capability to monitor and alert on web traffic. Ensure that automatic updates for the anti-malware and your OS are turned on and that they have been recently updated.
- GitHub: Check the user’s account. Does the company or user data match the initial LinkedIn contact? How long has it existed? How many repositories do they have? Check the issues page — often, there will be complaints from people who cannot contact the repo owner.
- Skills tests: Isolate any downloaded code using virtual machines (VMs). This limits malware’s ability to spread on your machine and keeps your credentials away from the VM instance.
- Account protection: Use a password manager and MFA on all accounts. Don’t rely on SMS or email MFA — these are easy to spoof. Use a dedicated authenticator app (such as Google Authenticator or Aegis), and ideally, use a hardware token like a Yubikey. Ensure account recovery phrases are stored securely on a USB memory stick, not your PC.
- Protect your wallet: Use a hardware wallet to ensure your seed phrase never interacts with potentially compromised computers, and use a strong passphrase to secure access. Use MultiSig or MPC wallets to enforce MFA before signing transactions with separate Hot, Cold, and Burner wallets whenever possible.
- Simulate wallet transactions: Simulate transactions before signing them, and always double-check that the transaction interacts with the contracts you expect. Double-check all the digits of the addresses involved in transactions. Monitor your wallet’s activity and regularly double-check transaction history.
- Review token approvals and allowances: Finally, periodically review and revoke unneeded or expired approvals/allowances. We have published a companion article on how to revoke token approvals, which you can read here.
Further Reading
The groups behind this attack use the same malware and techniques elsewhere, so there has been more detailed research into the malware and specific indicators of compromise (IoC).
Unit42 has a detailed writeup with IoCs that can be implemented in web filtering tools to block communications.
About Nexera
Nexera is empowering the future of finance with cutting-edge open-source innovation. Nexera infrastructure seamlessly incorporates blockchain technology, facilitating on-chain and off-chain operations for simplified digital, financial, and real-world asset management.
Nexera is focused on nurturing the broader ecosystem and DAO and enhancing the utility of the $NXRA token. It is committed to promoting community growth and driving innovation in the digital asset space, including the growth and development of current and future key ecosystem partners.
Learn more about Nexera by following them on X, joining the Telegram Community, or visiting their website.
