Kaspersky reveals 20-unit OkoBot cryptocurrency wallet attack



Kaspersky has uncovered OkoBot, a year-old malware that uses nearly 20 modules to steal cryptocurrency wallet recovery phrases, affecting users in at least five countries.

summary

  • Kaspersky has uncovered an OkoBot that uses nearly 20 modules to steal cryptocurrency wallet credentials.
  • The malware affected users in Brazil, Vietnam, Canada, Mexico, and Turkey.
  • OkoBot uses fake recovery screens, keyloggers, spyware, and ClickFix commands to target victims.

Researchers at Kaspersky discovered that the malware had been active for more than a year, according to A a report Published by Bits.media. Most of the identified victims were located in Brazil, Vietnam, Canada, Mexico and Turkey, while the operators blocked IP addresses from Russia and other CIS countries.

OkoBot is distributed through GitHub repositories, disguised as legitimate software, including Microsoft SQL Server Management Studio. Kaspersky found that attackers rely on the social engineering method ClickFix, which tricks victims into running malicious commands on their own devices.

This technology often presents users with fake error messages, verification steps, or repair instructions. Following these directions leads victims to execute code that installs malware without realizing it is malicious.

OkoBot targets seed phrases and wallet credentials

Among the OkoBot modules, SeedHunter displays a fake recovery interface linked to hardware wallets such as Ledger and Trezor, according to Kaspersky. When users enter their recovery phrases into the fraudulent screen, the module sends the information to the malware operators.

A second module called MC Keylogger logs keyboard input and monitors wallet activity, allowing it to capture passwords, copied wallet addresses, and other credentials. OkoSpyware can track wallet passwords and record videos of open windows, giving attackers another way to monitor activity on the infected device.

Once the recovery phrase is revealed, attackers can use it to take control of the linked wallet and transfer its assets. Kaspersky warned that victims have little chance of recovering stolen cryptocurrencies because blockchain transfers are generally irreversible.

The modular design of malware also allows its operators to collect different types of information from a single infected system. According to the security company’s findings, OkoBot can target both wallet access data and credentials connected to other services used on the device.

ClickFix attacks also targeted cryptocurrency developers

OkoBot is the latest malware campaign found using ClickFix against the cryptocurrency sector. As crypto.news reported in April, North Korea’s state-backed Lazarus Group used the same tactic in a macOS campaign known as “Mach, man“.

Citing research from CertiK, the report found that Lazarus sent fake online meeting invitations to fintech and cryptocurrency executives. Victims were directed to paste supposed repair or verification commands into the macOS Terminal, which installed malware capable of stealing cryptocurrencies and company information.

CertiK also found that the Mach-O Man toolkit deleted itself after it was run, making forensic analysis more difficult. The campaign combined social engineering with terminal-level commands rather than relying solely on malicious file downloads.

Developer tools provided another path into cryptosystems. In May, crypto.news I mentioned The TrapDoor malware was distributed through poisoned software packages targeting developers in the field of cryptocurrencies, decentralized finance, artificial intelligence, and security infrastructure.

According to this report, TrapDoor sought wallet data, API keys, cloud credentials, and SSH access associated with services and ecosystems including Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos. Researchers also found hidden prompts designed to manipulate Cloud and Courseware into performing fake security checks that reveal secrets and send them to attackers.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *