blog - IARD Solutions

How to use our Solidity Analyzer plugin on Buildbear?

Unveiling Lazarus’ Sophisticated Cryptocurrency Theft Scheme blog 29/10/2024 A month ago, we wrote a blog post about a new and growing scam targeting blockchain developers. We gave clues as to how to spot this scam, but we didn’t know exactly what it was doing or who it was coming from.After receiving this scam on an almost daily basis, we investigated a little further and discovered a few things. In particular, the scam was orchestrated by the alleged North Korean group Lazarus. We now know how this group goes about infecting developers: Initial Contact: An Offer Too Good to Be True It all began with a message on LinkedIn, on a freelance platform (UpWork, Malt, etc.). A recruiter claiming to represent a blockchain company contacts you with a tempting offer. The promised salary was well above the market average, and the project sounded exciting. After a few exchanges, the recruiter asks for your opinion on his project, sharing the github, gitlab or bitbucket with you. Message sent to UpWork by a malicious actor They can use false names, but also usurp real identities and companies. Sometimes they even buy domain names similar to existing companies to impersonate them. An infected nodeJS application The trap is here: you may be asked for your opinion on a current project, or for a technical interview on Google Meet.What’s the point? Get you to download and compile infected NodeJS code. At first glance, nothing seems out of the ordinary: the repo is on github (or equivalent), on an account that may have more than 10 years’ activity on real projects. Hacked Github profile used to host infected repositories But on closer inspection, there are fake npm packages or obfuscated code that will take information from browser caches and crypto wallet extensions. Obfuscated code found in a github repo We deobfuscated and analyzed the code. This corresponds to the BeaverTail malware. This code will first harvest information from browser caches, crypto wallet extensions and some crypto wallet directly like exodus. It will then send this information to a server and download the InvisibleFerret malware, a well-known trojan that enables attackers to retrieve banking information and private keys from cryptowallets. Here is the list of crypto wallet extensions spied on by BeaverTail that we have identified: Metamask BNB Chain Wallet TronLink Phantom Coin98 Wallet Crypto.com Wallet Kaia Wallet Rabby Wallet Argent X OKX Wallet Core Tonkeeper Exodus Web3 Wallet Ton Wallet OpenMask SafePal MyTonWallet Solflare Wallet Atomic Wallet Math Wallet It should also be noted that the code is compatible with Windows, macOS and some Linux distributions. BeaverTail and InvisibleFerret are still actively under development and their code is evolving month by month. North Korea behind this scam? BeaverTail and InvisibleFerret are sophisticated malwares developed by the Lazarus Group, the alleged North Korean hacking collective known for their advanced cybercrime operations. These malwares are part of a larger campaign targeting blockchain developers and freelancers, aiming to steal sensitive information and cryptocurrency. The Lazarus Group’s tactics involve social engineering and phishing to lure unsuspecting victims into downloading and executing malicious code, highlighting the need for vigilance and robust cybersecurity measures. SecAI analysis of a C2 IP found in obfuscated code These scam campaigns have been documented since last year by Unit 42. Servers that don’t shut down We have analyzed dozens of Command and Control (C2) servers used by hackers to send malware and receive stolen information. These servers are hosted in various companies around the world. One of these companies is Stark Industries Solutions, which Brian Krebs describes as “the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe” in his dedicated investigation to this company. He explains that the group NoName057(16) hosts some of these campaigns on Starknet Industries. NoName057(16) is a group of hacktivists known for the Ddosia Project, a botnet that pays individuals to participate in DDOS attacks on Western government agencies. We solicited Stark Industries, providing them with the evidence they needed to shut down the malicious servers hosted on their premises. To date, we have had no response from them and the servers have been active for over a month. Conclusion Lazarus Theft Scheme Hackers are using increasingly sophisticated techniques to deceive their victims. Here are a few recommendations to protect yourself: Be Vigilant: Be cautious when recruiters ask you to perform tasks or download applications, especially if these involve executable files. Check Companies: Always check that companies and recruiters offering job interviews are genuine and well-established. Be Careful with Links: Be careful with links and attachments in unsolicited emails or messages claiming to be from recruiters or companies. Use Security Tools: Use up-to-date anti-virus and anti-malware software to scan all files or applications before opening them. Always use VMs when running someone else’s code !! By following these recommendations, you can protect yourself against these sophisticated attacks and stay safe in the digital world. Many thanks to David Barbier and Corentin Giaufer Saubert who helped us gather the information for this article!

Unveiling Lazarus’ Sophisticated Cryptocurrency Theft Scheme

The most common scam aimed at Web3 builders

The most common scam aimed at Web3 builders blog 24/09/2024 If you’re a cryptocurrency developer, you’ve probably already seen the warning signs of this scam: sketchy LinkedIn messages and “too good to be true” freelance offers. Lately, scammers have been upping their game by using legitimate-looking tools to trick developers into installing malware through private GitHub repositories or npm packages. The latest threat? Forked and/or malicious packages, specifically targeting common Node.js modules like child_process, allowing scammers to perform various attacks on your computer. Let’s break down how these scams work and, more importantly, how you can protect yourself. 1. How to recognize this scam? This scam, although not specific to the Web3 space, has seen a surge in its popularity in the last few months according to our personal experience. We went from receiving one or two of them per month to over 10 per week recently. Although it is annoying to have to filter through this mass of malicious offers, it allowed us to gather a lot of data about the process these scammers use. The beginning is always the same. Someone will contact you, presenting himself as the founder of a project or one of its key member, and tell you that he is looking for an “experienced web and blockchain developers who not only possess the technical prowess to bring our vision to life but also embody qualities of integrity and trustworthiness”, or something similar ChatGPT gave to him. In general, it will be a very broad message, sometime not even mentioning Web3. Most of the time, you can recognize that it’s a scam right from this first, lengthy and verbose, message. The point of contact can be any platform you are on, be it Linkedin or freelancing platforms like Upwork. You will often see that their profile on these platforms are new ones, especially on freelancing platform as they do not intend on actually paying anyone. If you are using such platforms, we can only recommend checking the profile and never straying outside the platform with unknown clients. If you respond to their message, they will be really enthusiastic to work with you, often proposing a generous paiement because they just have so much money and don’t know what to do with it. However, before they hire you, they want to check if you are actually good at your job whatever it may be. To do so, they will tell you to install their project, in general a generic React website, from github and then send them a screenshot of the project running on your computer. Not a weird request at all. Some are more subtle about it, and will just ask you to add some simple feature to it, like adding Web3 wallet connection, to make it look less suspicious. That’s the common point of all these scams, making you run their “project” on your computer, allowing them to run their well hidden malicious code. To what purpose? Only them know as we did not yet try to install their malware for further investigation. Our best guesses are trying to steal your cryptocurrencies if you ever log in your wallet on a compromised computer, or even your bank account like regular old scammer through a key logger or other standard means of attacks. Or simply just steal any private key it finds in any .env currently present on your computer. Fresh reminder to use separate wallets for testing and for securing your funds by they way. To summarize how to recognize this type of scam: Be really suspicious of any random unprompted messages from “clients”, especially those speaking like ChatGPT of course Check the profile, if you are contacted on a platform, and see if they seems like a legit account Most of all, if they ask you in any way or form to install their “project” for any reason, you can block them instantly 2. How is the scam implemented Let’s take one of these scam project as an example. You can check the project below, but do not install it in any way unless you really know how to protect your computer and know what you are doing. Here is today’s example: haroldcristopher/MetaTradingPlatform (github.com) At first glance, it looks like a standard Next.js project. You can even check the files, and everything will seems pretty normal, just a regular project, nothing to see here mister officer. Nearly every time, it will be a project in it’s “beta phase”, waiting for you to install and make it production ready. Pushed in a single commit, with a single member in the repo, apart maybe from you or other potential victims of this scam. Again, please do not install this project or any similarly suspicious code. After failing to find any malicious code in all these files, we finally decided to check what was not yet on the project, the dependencies. In each and every of these project, you will be able to find at least one extremely suspicious package in the context of a React/Next app, often related to the control of child processes. In our current case, you will be able to see that it imports the “command” package in the package.json file, which according to its npm description is “A Node.js chainable, promise-based utility for running commands with child_process.spawn”. In many other projects, similar package will be imported for no good reasons. Each time, it will either be legit packages used in malicious ways or straight up malicious packages mimicking legit ones. As an additional example, you can find here on reddit several testimonies of devs falling for this scam: I fell victim to my first-ever wallet drain scam as a dev (malware) : r/ethdev (reddit.com) 3. Conclusion In conclusion, the rise of sophisticated scams targeting cryptocurrency developers is a reminder of the always evolving landscape of cyber threats. These scams, often disguised as legitimate opportunities, exploit the trust and curiosity of developers, potentially leading to severe consequences such as

An In-Depth Explanation of the ERC-20 Standard

An In-Depth Explanation of the ERC-20 Standard blog 20/06/2024 In the rapidly evolving world of blockchain technology and cryptocurrencies, understanding the underlying standards and protocols is crucial. The most famous one that anyone that has interacted with the blockchain ecosystem is probably the ERC-20 standard. This article aims to provide an in-depth explanation of the ERC-20 standard, its functionality, and its importance in the Ethereum network, other EVM blockchains and beyond. 1. What is ERC-20 ERC-20 is a technical standard interface used for smart contracts on the Ethereum blockchain for implementing tokens, which are most of the cryptocurrencies you know. It was proposed in November 2015 by Ethereum developers and founding members Fabian Vogelsteller and Vitalik Buterin. ERC stands for Ethereum Request for Comment, and 20 is the unique proposal ID number. You can find the original proposal here: “ERC-20: Token Standard“ Today, and since the launch of this standard, the ERC-20 has been the principal way to create and use fungible tokens. Others have imagined different standard since then, such as the ERC-721 which is what’s called NFTs or the more recent “ERC-404” which is a mix of ERC-20 and ERC-721 to put it in a nutshell. On that note, we did an interview of the developer at the origin of this idea, Serec Thunderson, in another article. 2. Understanding the ERC-20 functions The first thing to understand, and it’s valid for any ERC, is that it only describes what the implementation should at least possess. It describes mainly a list of functions and events, their inputs and outputs, but it is up to each project to implement it as they see fit. That’s why you should always either read the code yourself or assert that it has been audited by competent people before using any ERC-20 or any other contracts. Back to the main subject, the ERC-20 standard outlines six mandatory functions and three optional ones that every ERC-20 token should implement. The mandatory functions are: totalSupply(): This function returns the total supply of tokens available in circulation. balanceOf(address _owner): This function returns the account balance of another address _owner. transfer(address _to, uint256 _value): This function sends _value amount of tokens to the address _to and must fire the Transfer event. The function should throw an error if the message caller’s account balance does not have enough tokens to spend. transferFrom(address _from, address _to, uint256 _value): This function transfers _value amount of tokens from address _from to address _to and must fire the Transfer event. The function should throw an error unless the _from account has deliberately authorized the sender of the message via some mechanism. approve(address _spender, uint256 _value): This function allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again, it overwrites the current allowance with _value. allowance(address _owner, address _spender): This function returns the amount which _spender is still allowed to withdraw from _owner. The optional functions include: name(): This function returns the name of the token, improving usability. However, interfaces and other contracts must not expect these values to be present. symbol(): This function returns the symbol of the token, improving usability. However, interfaces and other contracts must not expect these values to be present. decimals(): This function returns the number of decimals the token uses, improving usability. However, interfaces and other contracts must not expect these values to be present. ERC-20 tokens should also implement two events: Transfer: This event must trigger when tokens are transferred, including zero value transfers. Approval: This event must trigger on any successful call to approve(address _spender, uint256 _value). In most of the implementation, the balance of every user will be stored in a private variable, meaning its values can only be edited by the functions of this same contract, that map every Ethereum address to an integer representing the amount of tokens owned by this particular address and updated or read by the functions presented before. And that’s it. The core of most ERC-20 tokens is just a simple data store, which is really different from the native tokens of most if not all blockchains such as Ethereum itself. You can find different popular implementations of the ERC-20 standard on the web, such as the OpenZeppelin’s implementation, if you want to take a look at actual code. You can also check out our blog post on beginners resources to learn Solidity. 3. Conclusion The ERC-20 standard plays a pivotal role in the widespread adoption and use of tokens within the Ethereum network. By providing a standard, developers can accurately predict how new tokens will function within the larger Ethereum system. This allows for greater interoperability between tokens and ensures a uniform user experience when interacting with different DApps. Moreover, the ERC-20 standard has facilitated the creation of a thriving token economy, enabling projects to raise funds through Initial Coin Offerings (ICOs) and Token Generation Events (TGEs). The ERC-20 standard has become an integral part of the Ethereum network, providing a standardized approach to creating and implementing tokens. By understanding the functions and importance of the ERC-20 standard, one can better navigate the complex world of blockchain technology and cryptocurrencies. As the blockchain ecosystem continues to evolve, standards like ERC-20 will likely continue to play a crucial role in shaping its future and being able to understand them will allow you to make the most of it and avoid pitfalls.

Ethereum Development 101: Where to Learn Solidity Basics

Welcome to Ethereum Development 101, your comprehensive introduction to the exciting world of decentralized applications (dApps) and smart contract development on the Ethereum blockchain. In this beginner-friendly guide, we’ll explore the tools and resources you need to kickstart your journey as an Ethereum developer.

Choosing the Right EVM-Compatible Blockchain for Your Project

When choosing an EVM-compatible blockchain for your project, it’s essential to balance several key factors: transaction fees, transaction speed, the number of active users, the number of deployed projects, and the level of decentralization. Each of these elements plays a critical role in ensuring that your application is accessible, secure, and poised for success in a competitive and complex ecosystem. By carefully assessing these considerations, you can select a blockchain that not only meets your technical requirements but also supports your project’s growth and alignment with broader community and security standards.