Victims are first pulled in through GitHub points that learn, “Recognize to your contributions on GitHub. We analyzed profiles and selected builders to get OpenClaw allocation.” The message is framed as a limited-time token giveaway of $5000 price of CLAW tokens, directing them to gather the tokens by visiting the malicious website. “We assess that the attackers could also be utilizing GitHub’s star function to determine customers who starred OpenClaw-related repositories and goal them particularly, making the phishing marketing campaign seem extra credible and related to recipients,” the researchers added.
CLAW isn’t a respectable token and is being promoted as a brand new launch within the rip-off narrative. In actual fact, OpenClaw developer Peter Steinberger has explicitly stated up to now that the challenge won’t ever subject tokens and any declare in any other case is a rip-off.
Good, obfuscated malware code
In accordance with OX, the malicious phishing and wallet-stealing code is “extremely obfuscated” and resides inside the “eleven.js” JavaScript file within the repository.
The risk actor used “watery-compost[.]in the present day” to host a C2 server to gather info (together with pockets tackle, transaction worth, and identify) and drain wallets as soon as they have been linked. Instructions utilized by the C2 embody PromtTx, Permitted, and Declined. Moreover, the malware code features a ”nuke“ perform that deletes wallet-stealing info from the browser’s native storage to keep away from detection and forensics, the researchers added.
