π¨ Dangerous New Crypto-Stealing Bot Alert! Kaspersky Uncovers Major Threat
Kaspersky experts warn of the active OkoBot malware framework, targeting cryptocurrency owners and IT specialists across 25 countries. This sophisticated threat intercepts official wallet applications, displays fake verification windows to steal assets, and is distributed via disguised work tools and social engineering. Users are advised to follow strict security protocols to prevent compromise.
Experts from Kaspersky's Global Research and Analysis Team (GReAT) have issued a critical warning regarding the OkoBot malware framework, which has entered an active phase, endangering hundreds of cryptocurrency owners across 25 countries. Analysts highlight a significant revision in hacker tactics, now specifically targeting individuals who previously believed themselves to be fully protected. The primary objective of this dangerous malware is to steal assets by intercepting the functionalities of official cryptocurrency applications such as Ledger Live, Ledger Wallet, and Trezor Suite, subsequently displaying deceptive, fake verification windows to trick users into revealing sensitive information.
The initial compromise in this campaign frequently occurs when attackers disguise the malware as popular work tools and distribute the infected software through platforms like GitHub. Researchers have already detected the malware embedded within a fake Microsoft SQL Server Management Studio (SSMS) installer. In addition to these methods, attackers are employing sophisticated social engineering techniques, including 'ClickFix attacks,' where users are persuaded to copy and execute malicious code in a terminal under the guise of fixing an unexpected browser error, further expanding their attack surface.
OkoBot's sophisticated modular structure, comprising over 20 components, includes known threats like the Rilide infostealer and the OkoSpyware surveillance module. This modularity not only enhances its capabilities but also contributes to its expected geographical expansion beyond the currently affected countries, which are predominantly led by Brazil, Vietnam, Canada, Mexico, and Turkey. The malware specifically targets IT specialists and software developers, leveraging their professional environment for initial infection.
Kaspersky GReAT forecasts further developments, including the emergence of new, hidden extensions designed for Chromium-based browsers such as Chrome and Edge. These extensions are particularly insidious as the malware possesses the capability to completely remove them from the visible list of installed add-ons, rendering users unaware of their presence. The final stage of the attack often involves the large-scale sale of access to victims' compromised computers, as OkoBot secretly establishes persistence by creating a new administrator account and opening a permanent SSH tunnel for remote control via RDP.
To mitigate the risk of falling victim to OkoBot, users are strongly advised to adhere to three crucial security rules: first, never enter a seed phrase using a PC keyboard, especially when prompted by an unexpected window; second, avoid executing third-party scripts obtained from the internet unless their authenticity and safety are absolutely verified; and third, regularly check their system for any signs of hidden RDP (Remote Desktop Protocol) access, which could indicate unauthorized control.