Zloupotrebljen identitet lokalne firme radi širenja malwarea na githubu

Zloupotrebljen identitet lokalne firme radi širenja malwarea na githubu - Printable Version

+- Bezbedan Balkan (https://bezbedanbalkan.net)
+-- Forum: Bezbednost privatnih resursa (https://bezbedanbalkan.net/forum-12.html)
+--- Forum: Phishing / Scam / Spam kampanje (https://bezbedanbalkan.net/forum-16.html)
+--- Thread: Zloupotrebljen identitet lokalne firme radi širenja malwarea na githubu (/thread-1596.html)

Zloupotrebljen identitet lokalne firme radi širenja malwarea na githubu - milos_rs - 08-06-2024

Naleteo sam na reddit temu Lazna(?) firma iz BG-a koja pravi malware?

koja linkuje video This virus works on ALL Platforms - In this video I investigate & reverse engineer an infostealer + clipper that works on Windows, Linux & macOS.

Video je tehničke prirode i vredi pogledati ako vas zanima kako tačno funkcioniše ovaj infostealer malware.

Radi se o infostealer-u koji je hostovan između ostalog i na navodnom github profilu "firme" Syndott. A u stvarnosti je ukraden identitet za složenu sofisticiranu prevaru malware tipa. Maliciozan repozitorijum je bio aktivan oko 4 meseca.

Firma se oglasila na svom sajtu da su bili hakovani i da im je zloupotrebljen identitet. Skrinšot obaveštenja :

Filename: synd .png Size: 149.86 KB 08-10-2024, 07:22 AM

Prethodno sam bio skeptičan da li imaju ikakve veze sa ovim ili su zloupotrebljeni i ispostavilo se da su zloupotrebljeni...

Da li je firma koja stoji iza github profila lažna i stvorena radi ove prevare ili je firma stvarna i hakovan im je github profil radi prevare ne mogu znati. Moguće je i da je firma stvarna i bavi se legalnim aktivnostima, a neko je iskoristio njihove podatke da otvori github profile. Autor gornjeg snimka misli da se radi o izmišljenim podacima, da firma ne postoji i da je izmišljena radi prevare.

Prevara se svakako sastoji iz toga da dobijete poruku na LinkedInu, Upworku, i drugim sajtovima za poslove, gde vam nude posao i traže vam da testirate neku njihovu "metaverse" ili "NFT" igricu i javite rezultate kao proveru znanja za dobijanje posla. Takođe postavljaju oglase za poslove po internetu tako da može da se desi i da neko kontaktira njih gde takođe nude "posao" nakon što testirate njihovu metaverse "igricu". Ako vas u pregovorima za nekakav online posao zamole da pokrenete projekat sa githuba i pošaljete snimak ekrana kao potvrdu, bežite od toga!

Primer poruke za posao primljene preko UpWork:

Quote:Salomon Software Team is looking for a senior Blockchain developer who will add blockchain features into the current Metaverse project, like you.

1.To-do list

It contains the following modules with WEB3 integration:
- Wallet integration : Wallets like Metamask, Coinbase wallet and wallet connect.
- Swap : Dex aggregator Odos integrated
- Basic Swap : Traditiona swap
- Perpetual trading : Redirected to perpetuals.baseswap.fi
- Standard liquidity : Add/remove liquidity V2
- Concentrated Liquidity : Add/remove liquidity V3
- Standard Farms : V2 farms
- Concentrated Farms : V3 farms
- Earn : Pools
- xBSX : convert bsx to xbsx
- Bridge : Bridge token across chains
- Token LockeHellr
- NFT : NFT marketplace and redirect to different subdomain

2.How it works

The current project was built 6 months ago by a senior WebGL developer. So it will be first step and project analytic step to check current project if there are any bugs and issues.
In this step, we also are going to find new problems that WebGL developer have to update.
After then, we will have a video meeting with CTO. In the meeting, we will hear about your understanding of the project and discuss detail requirements. It only takes a few minutes. We just need to ask you a few questions about your professional experience and availability.

3. Requirements

Fluent in English
Programming experience in any of the following: Solidity, Vyper, LLL, Simplicity, Plutus, Yul or Substrate
Experience using any of the following frameworks: web3.js, Hardhat, Ethers.js, Truffle, Openzeppelin, Brownie, Embark, web3.py
At least 6 months of experience using Blockchain technologies (either professionally or as a hobby)
Experience working fully remotely

4. Benefits

All of our clients are looking for fully remote engineers from all over the world. Depending on what you negotiate with the company which hires you, you can expect to have
- Work Part-Time or Full-Time: Choose to work between 10 and 40 hours
- Flexible working hours: work on your own terms
- 100% Remote: work from wherever suits you.
- Competitive compensation: set your own hourly rates

5. Salary

You set your own hourly rate. Expect to get paid between $20 and $200 per hour, depending on experience.
Recommend hourly rates:
Junior engineers (<1 year): $20 - 50
Mid level engineers (1–5 years): $50 - 100
Senior engineers (5 years+): $100+

Check this and get back to me soon

drugi primer oglasa koji je javno postavljen online:

Filename: oglas.png Size: 282.58 KB 08-06-2024, 09:19 PM

Link ka malicioznoj "igrici" u ovom slučaju je bio github .com/Syndottcom/3DWorld-tectera-beta koji sada više ne radi

Filename: github1.png Size: 476.21 KB 08-06-2024, 09:21 PM

Filename: github3.png Size: 369.44 KB 08-06-2024, 09:21 PM

Radi se o navodno lažiranom github profilu firme syndott iz Beograda.

Filename: github0.png Size: 512.96 KB 08-06-2024, 09:18 PM

Drugi repozitorijumi sa istim kodom koji takođe više ne funkcionišu:

github .com/AImeta-pro/Metaverse_3D
github .com/newbee0422/MetaWar_ver_4/

Neko je odradio ChatGPT analizu malwarea:

Filename: chatgptanaliza.png Size: 486.43 KB 08-06-2024, 09:35 PM

DNS upit i WHOIS domena:

Code:

syndott.com has address 76.76.21.21

syndott.com mail is handled by 10 aspmx2.googlemail.com.



Domain name: syndott.com

Registry Domain ID: 2833354852_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.namecheap.com

Registrar URL: http://www.namecheap.com

Updated Date: 0001-01-01T00:00:00.00Z

Creation Date: 2023-11-28T11:19:14.00Z

Registrar Registration Expiration Date: 2024-11-28T11:19:14.00Z

Registrar: NAMECHEAP INC

Registrar IANA ID: 1068

Registrar Abuse Contact Email: [email protected]

Registrar Abuse Contact Phone: +1.9854014545

Reseller: NAMECHEAP INC

na facebook stranici facebook .com/ThoughtMediaGroup sam našao nekoga ko se buni da je prevaren :

Filename: fb1.png Size: 148.76 KB 08-06-2024, 09:36 PM

A zašto na toj stranici? Dobio je mejl navodno od njih :

Filename: fbmejl.jpg Size: 76.38 KB 08-06-2024, 09:46 PM

RE: Infostealer malware se širi sa github profila "firme" navodno iz Beograda - milos_rs - 08-07-2024

Danas su svi profili na društvenim mrežama kao i sam sajt ugašeni što jedino mogu da protumačim kao potvrdu da je ovo zaista sve bilo lažno i izmišljeno radi ove sofisticirane malware prevare.

objavili su obaveštenje na sajtu:

Filename: synd .png Size: 149.86 KB 08-10-2024, 07:28 AM

samo kako im je github otvoren tek juče? ne poklapa se sa ovim što pišu o github-u u obaveštejnu

Filename: syndgit.png Size: 197.25 KB 08-10-2024, 07:29 AM

RE: Infostealer malware se širi sa github profila "firme" navodno iz Beograda - milos_rs - 08-10-2024

saopštenje je ažurirano:

Filename: syndotnotif1.png Size: 625.83 KB 08-10-2024, 01:44 PM

RE: Infostealer malware se širi sa github profila "firme" navodno iz Beograda - milos_rs - 08-10-2024

takođe na Youtube snimku ima obaveštenje od kreatora snimka: