How Infostealer Malware Led to the ByBit Hack: A Deep Dive into Cyber Threats

Listen to this Post

In recent news, the exchange ByBit was hacked, and North Koreans made off with over $1.4 billion in assets. This isn’t the first time North Koreans have targeted crypto assets; they’ve phished wealthy asset holders, SIM-swapped crypto whales, and even used their North Korean IT farms to gain insider access to positions at crypto companies. However, based on infostealer data, ByBit was already at risk due to data found in infostealer logs.

Infostealer infections are by far the easiest method for someone to gain insider access. They steal credentials and session keys from employees’ devices using malware. Using these credentials, attackers can directly access internal dashboards, admin accounts, etc., while bypassing 2FA by hijacking authenticated sessions. We’ve included a censored screenshot of ByBit’s employee exposure to infostealer infections. This could have been how ByBit was initially hacked and how the hackers gained access to replace the legitimate smart contract with a malicious one.

We found at least one high-level employee had their credentials leaked for internal systems sometime before 11/30/2024, and we are continuing to research this specific infostealer infection.

Practice-Verified Commands and Codes:

1. Detecting Infostealer Infections on Linux:

sudo clamscan -r --bell -i /home

This command scans the home directory for malware, including infostealers, using ClamAV.

2. Monitoring Network Traffic for Suspicious Activity:

sudo tcpdump -i eth0 -w capture.pcap

Captures network traffic on the `eth0` interface for later analysis.

3. Checking for Open Ports and Services:

sudo nmap -sV -O 192.168.1.1

Scans a specific IP for open ports and running services, which could indicate a compromised system.

4. Analyzing Logs for Unauthorized Access:

sudo grep "Failed password" /var/log/auth.log

Searches for failed login attempts, which could indicate brute force attacks.

5. Removing Malicious Files:

sudo find / -name "*.exe" -exec rm -f {} \;

Finds and removes `.exe` files, which are often associated with Windows-based infostealers.

6. Securing SSH Access:

sudo nano /etc/ssh/sshd_config

Edit the SSH configuration to disable root login and use key-based authentication.

7. Checking for Suspicious Cron Jobs:

crontab -l

Lists all cron jobs to check for any unauthorized or suspicious tasks.

8. Using YARA Rules to Detect Malware:

yara -r rules.yar /path/to/scan

Scans files using YARA rules to detect known malware signatures.

What Undercode Say:

The ByBit hack underscores the critical importance of securing internal systems against infostealer malware. Infostealers are a potent tool in the hands of cybercriminals, allowing them to bypass even the most robust security measures like 2FA. Organizations must adopt a multi-layered security approach, including regular malware scans, network monitoring, and employee education on phishing and social engineering attacks.

Linux commands like clamscan, tcpdump, and `nmap` are essential tools for detecting and mitigating such threats. Regularly analyzing logs for unauthorized access attempts and securing SSH access can significantly reduce the risk of a breach. Additionally, using YARA rules to detect malware signatures can help identify and remove infostealers before they cause significant damage.

In conclusion, the ByBit hack is a stark reminder of the evolving nature of cyber threats. Organizations must remain vigilant, continuously update their security protocols, and invest in advanced monitoring tools to protect their assets and customer data. The integration of AI and machine learning in cybersecurity could further enhance threat detection and response capabilities, making it harder for attackers to succeed.

For more information on securing your systems, visit:

References:

Hackers Feeds, Undercode AIFeatured Image