Morphisec Cybersecurity Blog

NFT Buyers Beware: Journey of a Crypto Scammer and How to Stop Them

Written by Hido Cohen & Arnold Osipov | February 14, 2022 at 1:32 PM

With examples changing hands for up to $69 million, hosting digital content on blockchain and selling it to investors has become one of the most lucrative things creators can do. And as rock stars, international artists, and even politicians keep "minting" non-fungible tokens (NFTs) and investors keep rushing in to buy them, the NFT space has undergone exponential growth. 

As of January this year, the NFT market is worth at least $4 billion — up from around $250 million in 2020 (the year when NFTs first came to public attention). This means that regardless of whether you think NFTs are just "expensive jpegs" or a future-focused investment, interest in NFTs is rocketing and likely to keep growing, with some forecasts putting the NFT market at $80 billion by 2025

Unfortunately, threat actors have not missed this growth, and malicious activity within the NFT investment space is surging. Using investor interest in NFTs and cryptocurrency as an entry point for phishing attacks, cybercriminals are increasingly deploying credential-stealing malware to hijack crypto accounts and steal cryptocurrencies and other digital assets. 

Last year, Morphisec’s Research Team encountered and fully disclosed the inner workings behind the Babadeda Crypter, a dynamic new threat aimed at blockchain investors on the Discord app. Since then, we have gone beyond the Babadeda Crypter to uncover the motivations, infrastructure, and activities of one of the most dangerous and fast-developing threat actor campaigns targeting this sector - and how to stop them with Moving Target Defense.

Our new report, “Journey of a Crypto Scammer - NFT-001”, covers these findings in detail. Here is a snapshot of what we discovered. 

Harder for Users to Spot

The evolved crypters observed by Morphisec in the new campaign continue to be delivered through malicious Discord bots operating within NFT and crypto communities. These bots direct users to decoy websites where they are prompted to download malicious desktop applications. 

While this methodology hasn't changed since our discovery of the BABADEDA Crypter in 2021, message bots have developed advanced phishing capabilities in the latest iterations of its attack chain. 

The variety of sites and applications being used as decoys has also grown, with more communities being targeted. To make malware delivery easier, attackers are now also leveraging distributed application architecture to centralize delivery.

Impossible for Signature-Based AV to Detect

Besides deployment, the execution process of these crypters is also becoming more sophisticated. We can confirm that many crypters now use DLL sideloading, enabling the cryptor's payload to pose as a legitimate application file on the victim's device. This means that signature-based solutions will find it impossible to recognize these files as malicious.

Based on our research, Morphisec can now clarify that three different RATs are being used as payloads, indicating that the threat actor's goal is to steal credentials for other crypto wallets.

Morphisec Stops These Attacks with Moving Target Defense

Last year’s investigation into Babadeda showed that the crypter is highly obfuscated during execution and deployment. Now able to hide within trusted applications, crypters like Babadeda are entirely invisible to signature and behavior-based malware detection tools.

However, one thing hasn't changed: Morphisec can still detect and stop these advanced crypter attacks before they compromise targeted devices. The reason why is that our Moving Target Defence technology doesn't rely on scanning files for recognizable threats or knowing whether or not it can trust an application. Instead, Morphisec stops threats by morphing device memory and confusing and trapping in-memory attacks like Babadeda in real-time.

Our New BDCrypter Report

Essential reading for security professionals, our report covers the above developments in detail. We also include the technical details of the attack and let defenders know the IOCs they need to look out for. Download the report “Journey of a Crypto Scammer - NFT-001” to read the full analysis.

 

IOCs

Decoy websites

Domains

alchemists[.]fund
metaverses-pro[.]com
ragnarok.vercel[.]fund
woofsolana[.]fund
babyswap[.]fund
spookyswap[.]fund
polygon-project[.]com
viper[.]fund
osmosiszone[.]fund
popsicle[.]fund
snowbank[.]fund
grim[.]fund
spartacadabra[.]fund
ring-finance[.]com
helium-app[.]com
zapp3r[.]com
terra-money[.]com
wonderlaned[.]com
jadeprotocol[.]fund
strongblock[.]fund
avaxbridge[.]fund
polychainsmonsters[.]com
debank[.]fund
steps[.]fund
abracadabra[.]run
boredpeyachtclub[.]com
vercel[.]fund
orca[.]mba
blocto-portto[.]fund
spartacus[.]fund
thorswap[.]fund
xyfinance[.]fund
olympus-dao[.]fund
invictusdao[.]fund
traderjoexyz[.]fund
pegaxy[.]fund
torix[.]fund
jonesdao[.]net
cocosbcx[.]fund
gitcoin[.]fund
sushi-v3[.]app
meritcircle[.]fund
biconomy[.]fund
oxdao[.]net
vvsfinance[.]fund
thor[.]fund
marinade[.]fund
paragonsdao[.]net
avalaunch-app[.]com
pancakeswaps[.]fund
diviprojects[.]com
runonflux[.]net

IP Addresses

185.212.130[.]108
185.212.130[.]109
185.212.130[.]110
185.212.130[.]111
185.212.130[.]157
185.212.130[.]129
185.212.130[.]199
185.212.130[.]132
185.212.130[.]133
185.212.130[.]218

File Servers

Domains

veeffriends[.]com download-app-v2[.]fund server-storage-dwl[.]com

IP Addresses

46.30.40[.]105 46.30.40[.]108 46.30.44[.]84

C2 Servers

IP Addresses

95.217.114[.]96
37.48.89[.]8
94.23.218[.]87
135.181.17[.]47
135.181.140[.]182
135.181.140[.]153
135.181.6[.]215
65.21.127[.]164
193.56.29[.]242
157.90.1[.]54

Fake applications

SHA256 Hashes

7e827e1981d2ccaec16a5b646976b0d492d555a20b9ba5dd4ba0d605dfcab2f7
c62d330c24d04b2a915529ed78ea6692360b18918886d73081300e8f97f3c544
ee8ebd97891ca6492355cfd5c964405a3269f428f91396a7c68b8aba965b4dab
a17be0cd6fe63cef8d742895c8f7a8b5ce3d4568b68c62c852388276f9d39462
4fed886fb15c2b8013471dd3a00f1dd4f92c1222d7e901e7712bc51a4e8553cf
4805e9e5317478e816c0d951dc5fa960abb2b49944ebcaac2a01b92cacd4c0e6
332a687e95a47bbae4ce2952ff288055bd8c32731a823e2a8fae04f127afd3a0
df332e7ab12e8616cc372e67a333a2e7bb8767f30918724f34d23a684db6bcb4
e5b90abfcc0bdd325d547473c30cce977dcd41906d1b5ee52569fced477343c2
14da3566bc9f211528c1824330c46789396447c83c3c830bb91490d873025df8
a19c03d7ca8f50a2c840f10631d26e1b40742c46e05964b60852e9eb8c697234
2e5455e268cf12ebc0213aa5dacb2239358c316dda3ec0f99d0f36074f41fb09
bcaaab0cd2178acdf025c7f23f10ab01906a99aca5d07e3a7e261928f8f91695
a63b3acebe111d575cdbdfeb657989ae6a92e9e41671abbf7d8e26a8fb9c38f9
2eb4b9d985bc1fad0566cb51ac504841358918aa3ea2c8062c3916d576711bb3
457753d6d5c69ddf06528bbfa0d8c9170ea5e7fac9cb87297c1eaf39c57e760b
b1865018b392f374c7237bebcdf38b72d31668ad8b1c6376eeb3a405e11ce6a2
2e3355742ee27347ec089d645a0697068c833ed7ea8fdef10d6aa1b0f87ab692
c33e81267dbc9ff93e82492a8d826e95788fd2fc8fcc79053d31d17e5c7ea8f3
2a8bf9c645496e62b71a8e3a74aebb68f8fbeae3b5b7712d36ddd2a234561a3c
d7bf594ca3051dc2c809d69254ddf00497df644e44a8b30af65318e146f35f81
7aece75112f882c05c6742213d816c2a3cc54aee9df445a21da8fd35dae2dfc2
0115ba0f26a7b7ca3748699f782538fa761f7be4845a9dc56a679acea7b76cd3
be87ab0b64d89333e96ed8f97cd5d67c374df13183b573f9a7f206217780f667
214d6681f5d82d4fa43e7a8676935ef01ddab8d0847eb3018530aedffe7ebb55
18c01e1f6e0185752dbf8c9352d74ade56ac40d25ae701d4a5954b74d0c7aeea
44b1c156635bc6cd0bfc9b784077fe4b912df90298e3cfc8bc4f98af5450e846
41f1f642353b024f2c1d709e58e0c2c7b8699a6b24f12a4f9c0ff36f86bdf2d7
466609938501952b9818091551e4d297718d03b65aa081c1af8c7ca7fc90b282
d360daf106314561e9ec57075dd4f544ad52680678a644e186758650a405b765
bfd7dac0fdd4cc92f11d775e9d27399c30e81cb6d7515f7b255d180499bfc0ca
4a289a5f0342365442564bbe9a09f7a1a3f23af0769a01769f58dd49504cca87
992aed6d1cfe2f07530deb7c6279faff141a46838165b88f73bcce5dacf8ee12
a2cd8d088ca9d67617ee4fe198232ca6b4eeec01419f2c3fbb1b543f8f166ecf
4fc19e9319a6af5c4568a1b019f06a000232892ee8e5eb8fc8c1f0d48e8c8199
f5f8917076a7ed3e13386a95904a235eedf281d8f5cc06748816b577eb5dc6ff
1da341ec03b5f70da9a6016dfefb298bffb4522408b9486314afd7fc02d0017f
3c844e66f0dafdced0861a8e2ff54fd762ba170bf5082fb2c38cdbbac5a7fecb
e99d32952bda84f32425681229ec544849156e479b7247e3e480f3a23a39c915
d6abbfbd4b7f1e84e2e9833a912b86ffc5b9ca6165ed4fe874d0071181b55353
7506a8784ac064884072a2aba84524ca27cd0b5ab66b7156d54926585673f9bf