rounded

Written by: SlowMist Technology

 

background

 

On July 25, 2024, MonoSwap (@monoswapio) issued a warning on Twitter that its platform had been hacked. They called on users to stop adding funds to their liquidity pools or staking in their farm pools, and explained that the attack was due to a MonoSwap developer who installed a Trojan software (https[:]//kakaocall[.]kr) when accepting a meeting invitation from a fake VC the day before the incident. The hacker used this to invade the computer of the MonoSwap developer, thereby controlling the relevant wallets and contracts, and then withdrawing a large amount of staked funds, causing serious losses.

 

(https://x.com/monoswapio/status/1816151998267547851)

 

Event Correlation

 

On the same day, the SlowMist security team discovered that the pinned tweet of @OurTinTinLand’s AMA activity about the airdrop contained the phishing link mentioned above.

 

 

With the help of the SlowMist security team, TinTinLand promptly resolved the account theft issue and conducted authorization review and security reinforcement on the Twitter account.

 

(https://x.com/OurTinTinLand/status/1816358544402444462)

 

Event Analysis

 

Although the phishing domain kakaocall[.]kr has been shut down and the malware information cannot be viewed, we have linked it to another similar phishing domain kakaocall[.]com through Internet snapshots.

 

 

By comparing the codes of kakaocall[.]com and kakaocall[.]kr through historical web page snapshots, we found that they are exactly the same, so it can be assumed that this is the work of the same gang.

 

 

The malware address links of kakaocall[.]com point to https[:]//taxupay[.]com/process[.]php and https[:]//www.dropbox[.]com/scl/fi/ysnjinmlpcpdxel050mmb/KakaoCall[.]exe?rlkey=drj8bfnd0zzvmcocexz93b6ky&st=28in0iw3&dl=1.

 

Subsequently, the SlowMist security team found several more phishing scams using the same method through in-depth tracing. On June 26, 2024, Twitter user Metadon (@metadonprofits) wrote a post describing the scammer's scam process. The scammer @DeusExUnicusDms sent him a private message pretending to be a company representative of @NibiruChain, and created a group chat on Telegram to add a fake founder of Web3 to increase credibility. Then, the scammer induced the victim to make a video call on KakaoTalk, an official Korean instant messaging app. Since the victim did not have the app, the scammer sent a link claiming to be the official link to download the app, but it was actually a phishing link.

 

(https://x.com/metadonprofits/status/1805714156068520251)

 

As we continued to analyze in depth, many victims also contacted us. By analyzing and studying the information provided by many victims, we found that this is an organized hacker group that operates in batches, has professional skills and is proficient in social engineering. They disguised themselves as normal project parties, created exquisite project websites, social media accounts, and project open source repositories, and increased the number of followers, wrote project white papers, and even entered the Web3 project recommendation platform. They looked highly similar to normal projects, causing many victims to think that this was a real project and were therefore attacked. Since there are many cases involved, let's analyze two of the more classic cases.

 

Case Study 1

 

Hackers chat with victims on social platforms and guide them to visit the malicious phishing site https[:]//wasper[.]app to download malicious applications.

 

Deployment time:

 

 

 

Windows malware download address:

https[:]//www.dropbox[.]com/scl/fi/3t95igxg3uvwthl2k9wcn/Wasper-Setup[.]exe?rlkey=xjt92pfebn1m0np52fbt5k3rl&st=a24xyedp&dl=1

 

macOS malicious program download address:

https[:]//www.dropbox[.]com/scl/fi/r8h40oyan354nqyx35mus/Wasper[.]dmg?rlkey=k88x68bxslsywnp98zb1cp260&st=hibpe07j&dl=1

 

When analyzing the phishing site https[:]//wasper[.]app, we found that the phishing site was beautifully crafted and had a corresponding GitHub open source project.

 

 

So, we visited the link of the open source project https[:]//github[.]com/wasperai/wasper and found that in order to make the fake project more credible, the hacker also designed the Watch, Fork, and Star of the open source project.

 

 

To make the whole thing go smoothly, the attacker even directly added the Contributors of other projects to the fake project, and also added the domain name of the phishing website to the fake project.

 

 

Since the information between the phishing website, fake project, and Twitter account echoed each other, it looked like a normal project. It can be seen that the attacker is good at controlling human nature and leading victims into traps. He is a professional hacker and social engineer.

 

 

Case Study 2

 

The attackers in another dexis[.]app phishing incident used a very similar method to the one in the wasper[.]app phishing incident. They also communicated with the target on social platforms first, and then guided the target to register on the phishing site dexis[.]app and download malicious programs.

 

 

The open source repository for this incident (https[:]//github[.]com/DexisApp/Dexis) uses the same template as the wasper incident.

 

 

The attacker placed the project's official website, white paper and other information on Linktree, which was extremely deceptive. When we analyzed it, we thought it was a normal project that was hacked. It was not until we found that multiple cases used this method that we confirmed that this was a carefully planned attack.

 

 

After visiting dexis[.]app, we found that the way to download the malicious program is to jump to the Trojan address https[:]//1processmerch.com/process[.]php. Since this download interface has been stopped, we cannot obtain the Trojan sample information.

 

 

The Trojan address here is the same as the Trojan address that the phishing website https[:]//kakaocall[.]com jumps to, and the file suffix name is also the same:

 

 

Similar fraud projects

 

Here are some other accounts and phishing URLs associated with this group:

  • Web3 game malware scam: @X Wion World

    URLs: wionworld[.]com

  • Web3 game malware scam: @X SilentMetaWorld

    URLs: playsilentdown[.]site, @link3to / free/jaunty-starks

  • Meeting software malware scam: @X / VDeckMeet

    URLs: vdeck[.]app

  • Web3 game malware scam: @X / _PartyRoyale

    URLs: partyroyale[.]games, @hubdotxyz/party-royale

  • Meeting software malware scam: @X / VorionAI

    URLs: vorion[.]io, vortax[.]app, vortax[.]space

  • Web3 game malware scam: @X/ arcanixland

    URLs: arcanix[.]land, @Linktree_ / arcanixsocial

  • Meeting software malware scam: @X / GoheardApp

    URLs: goheard[.]app, goheard[.]io

  • Web3 game malware scam: @X / projectcalipso

    URLs: projectcalipso[.]com, @Linktree_ / projectcalipso

  • Meeting software malware scam: @X/ kendoteth (fake KakaoTalk)

    URLs: kakaocall[.]com

 

Thanks to @d0wnlore for the information (https://twitter.com/d0wnlore/status/1796538103525757083).

 

Trojan Analysis

 

Online scanning with VirusTotal revealed that the Trojan was detected by multiple antivirus engines.

 

(https://www.virustotal.com/gui/file/f3c14c12cd45dbfb9dfb85deac517cca25c3118f2c7e3501be669fc06bb4402f/behavior)

 

 

Analysis found that this Trojan will execute a series of script commands to obtain system access rights, steal user credentials, and collect valuable system information and other malicious operations. According to the analysis report of the Trojan file by the Triage malware analysis platform, the malicious domain names and IP addresses it connects to are as follows:

  • showpiecekennelmating[.]com

  • 45.132.105.157

 

Summarize

 

It can be seen from the fact that attackers can create fake scenarios that are extremely similar to real projects that attack groups are becoming more and more professional and proficient in social engineering. The highly organized and batch operations make the scope of fraud very wide, resulting in many users being unable to distinguish the authenticity and being deceived.

 

The above case analysis only reveals a small part of the "dark forest" in the field of phishing. Many threats are still lurking. The SlowMist Security Team recommends that users be vigilant and keep a suspicion before clicking on website links; install well-known antivirus software such as Kaspersky and AVG to improve device security. If you are unfortunately infected, please transfer wallet funds as soon as possible and conduct a comprehensive antivirus check on your personal computer. For more security knowledge, it is recommended to read the "Blockchain Dark Forest Self-Help Manual" produced by the SlowMist Security Team.