What an unbelievable event for this user, who became a victim of a crypto stealer campaign when a sum of $900 worth of USDT meant to be sent to a friend ended up stolen by changing the wallet for which it was destined.
Yeah, you heard us right. This user copied the right wallet detail and pasted it on the crypto platform for payment, but since the campaign had this system compromised, they were able to change the wallet to theirs in the process and it became the final destination for the payment.
Here is a short video done with another account from the same system, immediately the first transaction became glaring that it had gone to the wrong address. This video confirms this can happen to many unsuspecting users.
How were they able to pull this stunt?
How were they able to pull this stunt? and what are the possible MO of this campaign has understudied by our team in the process of responding to this incident?
Digging down into the victim’s computer to understand how that happened; we found some interesting conversations PowerShell was having as shown below.
The folder de22926f-3fca-4ad7-8997-0132f9108a02 was found to contain the KeePass executable as shown below and the file is not currently being flagged by a few engines on VT
Analysis of what we have in the other folder which is various .dll files observed to be stealer malware from behaviour and not currently being flagged by any engine on VT as shown below.
To better understand how they all fit into the puzzle of the stunt that made the destination wallet during the payment to changed to another thing entirely, we started by checking the PowerShell logs to see what we can find.
Over 118 events relating to Event 4104 were filters in the logs meaning the PowerShell has been executing remote commands and some other related error to failed resolutions of some random .xyz domain the PowerShell was trying to resolve.
We were able to collect the ScriptBlockText from the log indicating what the PowerShell was doing every time such remote calls were made.
This script was found to contain different functions such as WMI, Test-Unicode, GetAvStatus, Get-InstallStatus, Get-Apps, Get-UserInfo, Get-UserID, Get-Updates, Set-Updates, f6.
Looking through each of these functions made obvious what they will be doing and the information they will be collecting and looking out for on the infected system such as system information, user information, cryptocurrency-related extensions installed on browsers, a certain type of browsers (such as Chrome, MSEdge, Brave and Opera) and antivirus status.
Below is the colouration of the script pointing to some of the above-mentioned functions and some interesting directories where searches and installation were done, cryptocurrency platforms (Binance, MetaMask, Coinbase, Coin98, MEWcx, Coinomi) whose users were being targeted.
The MetaMask extension was found to be present in the Google Browser of this specific case during the response. A pointer to why the attacker might have succeeded with their stunt with this victim.
The meta_request constant was found to contain a base64 encoded information which was decoded to get what we have below in this screenshot. A GET request on HTTP from here indicates why we are seeing random connections on port 80 on the initial PowerShell activities captured earlier.
Other constant like meta_ip was found to contain the public IP through which the infected system is reaching the Internet. And meta_host was found to be changing to different domain names ending with a TLD of .xyz for all of the 118 remote command execution logs captured from the PowerShell log.
Identification and analysis of the script pointed us in the direction of finding other possible changes that might have been made on the compromised system; such as those in various system directories and registries to ensure complete removal to bring the system to its clean state and prevent further reoccurrence.
The specific campaign wallet was found to be a Tether (USDT) wallet and tracked to understand what happened to the sent token as shown below.
The campaign immediately moved the token to another Tether (USDT) wallet as can be seen in the image below.
After initial compromise, the campaign was able to maintain persistence and evade detection by leveraging Living off the Land (LOL) TTPs by hiding behind PowerShell, WMI, CMD ( wscript, cscript) and Browser, Browser Extensions (which are legitimate applications).
Our conclusion is that the affected user might have downloaded stuff relating to crack software in recent times that allowed the campaign to compromise the system and end up attaining their action on objectives of stealing crypto tokens, related information to the user, credentials and the system in general.
CyberPlural MSSP facilitates practices and teams that are devoted to preventing, detecting, assessing, monitoring, and responding to cybersecurity threats and incidents.
Indicator of Compromise (IoC)
Program Files (x86)\KeePass Password Safe 2