With examples changing hands for up to $69 million, hosting digital content on blockchain and selling it to investors has become one of the most lucrative things creators can do. And as rock stars, international artists, and even politicians keep "minting" non-fungible tokens (NFTs) and investors keep rushing in to buy them, the NFT space has undergone exponential growth.
As of January this year, the NFT market is worth at least $4 billion — up from around $250 million in 2020 (the year when NFTs first came to public attention). This means that regardless of whether you think NFTs are just "expensive jpegs" or a future-focused investment, interest in NFTs is rocketing and likely to keep growing, with some forecasts putting the NFT market at $80 billion by 2025.
Unfortunately, threat actors have not missed this growth, and malicious activity within the NFT investment space is surging. Using investor interest in NFTs and cryptocurrency as an entry point for phishing attacks, cybercriminals are increasingly deploying credential-stealing malware to hijack crypto accounts and steal cryptocurrencies and other digital assets.
Last year, Morphisec’s Research Team encountered and fully disclosed the inner workings behind the Babadeda Crypter, a dynamic new threat aimed at blockchain investors on the Discord app. Since then, we have gone beyond the Babadeda Crypter to uncover the motivations, infrastructure, and activities of one of the most dangerous and fast-developing threat actor campaigns targeting this sector - and how to stop them with Moving Target Defense.
Our new report, “Journey of a Crypto Scammer - NFT-001”, covers these findings in detail. Here is a snapshot of what we discovered.
The evolved crypters observed by Morphisec in the new campaign continue to be delivered through malicious Discord bots operating within NFT and crypto communities. These bots direct users to decoy websites where they are prompted to download malicious desktop applications.
While this methodology hasn't changed since our discovery of the BABADEDA Crypter in 2021, message bots have developed advanced phishing capabilities in the latest iterations of its attack chain.
The variety of sites and applications being used as decoys has also grown, with more communities being targeted. To make malware delivery easier, attackers are now also leveraging distributed application architecture to centralize delivery.
Besides deployment, the execution process of these crypters is also becoming more sophisticated. We can confirm that many crypters now use DLL sideloading, enabling the cryptor's payload to pose as a legitimate application file on the victim's device. This means that signature-based solutions will find it impossible to recognize these files as malicious.
Based on our research, Morphisec can now clarify that three different RATs are being used as payloads, indicating that the threat actor's goal is to steal credentials for other crypto wallets.
Last year’s investigation into Babadeda showed that the crypter is highly obfuscated during execution and deployment. Now able to hide within trusted applications, crypters like Babadeda are entirely invisible to signature and behavior-based malware detection tools.
However, one thing hasn't changed: Morphisec can still detect and stop these advanced crypter attacks before they compromise targeted devices. The reason why is that our Moving Target Defence technology doesn't rely on scanning files for recognizable threats or knowing whether or not it can trust an application. Instead, Morphisec stops threats by morphing device memory and confusing and trapping in-memory attacks like Babadeda in real-time.
Essential reading for security professionals, our report covers the above developments in detail. We also include the technical details of the attack and let defenders know the IOCs they need to look out for. Download the report “Journey of a Crypto Scammer - NFT-001” to read the full analysis.
alchemists[.]fund metaverses-pro[.]com ragnarok.vercel[.]fund woofsolana[.]fund babyswap[.]fund spookyswap[.]fund polygon-project[.]com viper[.]fund osmosiszone[.]fund popsicle[.]fund snowbank[.]fund grim[.]fund spartacadabra[.]fund ring-finance[.]com helium-app[.]com |
zapp3r[.]com terra-money[.]com wonderlaned[.]com jadeprotocol[.]fund strongblock[.]fund avaxbridge[.]fund polychainsmonsters[.]com debank[.]fund steps[.]fund abracadabra[.]run boredpeyachtclub[.]com vercel[.]fund |
orca[.]mba blocto-portto[.]fund spartacus[.]fund thorswap[.]fund xyfinance[.]fund olympus-dao[.]fund invictusdao[.]fund traderjoexyz[.]fund pegaxy[.]fund torix[.]fund jonesdao[.]net cocosbcx[.]fund gitcoin[.]fund sushi-v3[.]app |
meritcircle[.]fund biconomy[.]fund oxdao[.]net vvsfinance[.]fund thor[.]fund marinade[.]fund paragonsdao[.]net avalaunch-app[.]com pancakeswaps[.]fund diviprojects[.]com runonflux[.]net |
185.212.130[.]108 185.212.130[.]109 185.212.130[.]110 |
185.212.130[.]111 185.212.130[.]157 185.212.130[.]129 |
185.212.130[.]199 185.212.130[.]132 185.212.130[.]133 |
185.212.130[.]218 |
veeffriends[.]com | download-app-v2[.]fund | server-storage-dwl[.]com |
46.30.40[.]105 | 46.30.40[.]108 | 46.30.44[.]84 |
95.217.114[.]96 37.48.89[.]8 94.23.218[.]87 |
135.181.17[.]47 135.181.140[.]182 135.181.140[.]153 |
135.181.6[.]215 65.21.127[.]164 193.56.29[.]242 |
157.90.1[.]54 |
7e827e1981d2ccaec16a5b646976b0d492d555a20b9ba5dd4ba0d605dfcab2f7 c62d330c24d04b2a915529ed78ea6692360b18918886d73081300e8f97f3c544 ee8ebd97891ca6492355cfd5c964405a3269f428f91396a7c68b8aba965b4dab a17be0cd6fe63cef8d742895c8f7a8b5ce3d4568b68c62c852388276f9d39462 4fed886fb15c2b8013471dd3a00f1dd4f92c1222d7e901e7712bc51a4e8553cf 4805e9e5317478e816c0d951dc5fa960abb2b49944ebcaac2a01b92cacd4c0e6 332a687e95a47bbae4ce2952ff288055bd8c32731a823e2a8fae04f127afd3a0 df332e7ab12e8616cc372e67a333a2e7bb8767f30918724f34d23a684db6bcb4 e5b90abfcc0bdd325d547473c30cce977dcd41906d1b5ee52569fced477343c2 14da3566bc9f211528c1824330c46789396447c83c3c830bb91490d873025df8 a19c03d7ca8f50a2c840f10631d26e1b40742c46e05964b60852e9eb8c697234 2e5455e268cf12ebc0213aa5dacb2239358c316dda3ec0f99d0f36074f41fb09 bcaaab0cd2178acdf025c7f23f10ab01906a99aca5d07e3a7e261928f8f91695 a63b3acebe111d575cdbdfeb657989ae6a92e9e41671abbf7d8e26a8fb9c38f9 2eb4b9d985bc1fad0566cb51ac504841358918aa3ea2c8062c3916d576711bb3 457753d6d5c69ddf06528bbfa0d8c9170ea5e7fac9cb87297c1eaf39c57e760b b1865018b392f374c7237bebcdf38b72d31668ad8b1c6376eeb3a405e11ce6a2 2e3355742ee27347ec089d645a0697068c833ed7ea8fdef10d6aa1b0f87ab692 c33e81267dbc9ff93e82492a8d826e95788fd2fc8fcc79053d31d17e5c7ea8f3 2a8bf9c645496e62b71a8e3a74aebb68f8fbeae3b5b7712d36ddd2a234561a3c d7bf594ca3051dc2c809d69254ddf00497df644e44a8b30af65318e146f35f81 7aece75112f882c05c6742213d816c2a3cc54aee9df445a21da8fd35dae2dfc2 0115ba0f26a7b7ca3748699f782538fa761f7be4845a9dc56a679acea7b76cd3 be87ab0b64d89333e96ed8f97cd5d67c374df13183b573f9a7f206217780f667 214d6681f5d82d4fa43e7a8676935ef01ddab8d0847eb3018530aedffe7ebb55 18c01e1f6e0185752dbf8c9352d74ade56ac40d25ae701d4a5954b74d0c7aeea 44b1c156635bc6cd0bfc9b784077fe4b912df90298e3cfc8bc4f98af5450e846 41f1f642353b024f2c1d709e58e0c2c7b8699a6b24f12a4f9c0ff36f86bdf2d7 466609938501952b9818091551e4d297718d03b65aa081c1af8c7ca7fc90b282 d360daf106314561e9ec57075dd4f544ad52680678a644e186758650a405b765 bfd7dac0fdd4cc92f11d775e9d27399c30e81cb6d7515f7b255d180499bfc0ca 4a289a5f0342365442564bbe9a09f7a1a3f23af0769a01769f58dd49504cca87 992aed6d1cfe2f07530deb7c6279faff141a46838165b88f73bcce5dacf8ee12 a2cd8d088ca9d67617ee4fe198232ca6b4eeec01419f2c3fbb1b543f8f166ecf 4fc19e9319a6af5c4568a1b019f06a000232892ee8e5eb8fc8c1f0d48e8c8199 f5f8917076a7ed3e13386a95904a235eedf281d8f5cc06748816b577eb5dc6ff 1da341ec03b5f70da9a6016dfefb298bffb4522408b9486314afd7fc02d0017f 3c844e66f0dafdced0861a8e2ff54fd762ba170bf5082fb2c38cdbbac5a7fecb e99d32952bda84f32425681229ec544849156e479b7247e3e480f3a23a39c915 d6abbfbd4b7f1e84e2e9833a912b86ffc5b9ca6165ed4fe874d0071181b55353 7506a8784ac064884072a2aba84524ca27cd0b5ab66b7156d54926585673f9bf |