Date:: November 15, 2024
Amount Stolen:: $42,000
Tags:: 🎙️ Contagious Interview
- 0x95A24a95BEf127ba0E620B48602d9e10dddbA627 - Victim
- 0x83475d03e38f913339a3f8cc31f5b80873b665cc - Victim
- 0xe5070b5bbf090bf0f83fc9676076074648007556 - Theft
- 0x38a1c063ab55e473989991963d59bac22e986d1a - Theft
- 0x1d114e73e804c4a5d8d611937423402f878484dd - Theft
- 0xb0fa1f34899f5017bf2f7506a205ebe414a77301 - Theft
- 0x717f4D449Af89859A1285ea204e58A83c41cb25e - Theft
- 0x9921ABD47f174668E574758795f3f981e6A3Aa86 - Theft
Attacker will approach targets who work in the Web3 Industry or accept Crypto as a form of payment.
Attacker will use a company email to message targets with a professionally crafted email. Asking if target is interested in a full-time position or freelance role.
After some small talk, the attacker will approach targets over WhatsApp or Telegram. Inviting the target into the private malicious project repo hosted on Github.
The malicious Obfuscated code is hidden in a single line with alot of whitespaces. If word wrap is not enabled, targets will easily miss the code.
Virus scans come up negative.
Attacker will then encourage targets to compile the code and see that there are some problems. When the code is compiled and ran, attacker will try to call the target. I believe it is to stall for time so that the malware can be downloaded and installed.
The malware is believed to be a modified version of BeaverTail and InvisibleFerret.
You can find evidence of malware installed in the user profile directory.
On Windows it would be
"%userprofile%/.n2/pay",
"%userprofile%/.npl",
"%userprofile%/.vscode"
Once the malware is installed on the target's pc. It will send these information to an FTP server, Saved Passwords on all Browsers, Metamask Vault Seed Phrase from all Browsers, Phantom Seed Phrases from all Browsers.
I suspect there are also access from OpenSSH and certain Telegram information is also stolen.
The attacker then uses the stolen credentials to guess the Metamask/Phantom Vault password. Upon successfully cracking the vault, they will proceed to manually drain the tokens from the wallets.
It has been suspected that the target has a FixedFloat account, BNB was sent from an account there to cover Gas Fees.
Currently the attacker has not withdrawn any funds yet. [6/Dec/2024]
Attacker has move funds to new wallets [13/Dec/2024]
Added new wallets that the funds has been moved to.
Based on past history of the wallets, He might withdraw from Bitget.
— https://www.chainabuse.com/address/0x1d114e73e804c4a5d8d611937423402f878484dd?chain=BINANCE