Threat Hunting Case Study – A Tale of Bots & Stolen Funds

The following article is a case study of the threat-hunting project we were requested to do.

Due to privacy concerns some of the information will not be disclosed here, but it is still a very interesting story! 

The phishing scam 

It all started with a message 

When going to the site and logging in, you will see that the account you logged in two has almost 1.5M USD, and an excited naive person will rush to withdraw the money!
They ask the user to approve the withdrawal. 

When the user signs the transaction using his wallet to approve the swap, there would be no indicator of any tokens being transferred, so there is no risk ah? 

Sadly attackers are smart and create greatly unsuspecting UI/UX. Behind the scene, all USDT of the victim will be drained, how exeactly? Keep reading.

Our goal in this research is to find how big the operation is, how we can detect all their known domain and address, and understand who is behind it. During a research period of a few months, we managed to answer most of the questions, and answer a lot of other questions we didn’t know we should ask.

What did we do? Attacking in all frontiers!

To gain more data on the operation we used every pulled all the threads we had:

1. The malicious Twitter account
2. The malicious website
3. The malicious smart contract

Bots Bots Bots

When investigating if other bots were involved in the scam, we found limited information. The bot had a few followers/following, some tweets promoting scams, generic photos, and AI-generated text. In an effort to identify similar pages, we examined the bot’s Twitter page for unique characteristics. Initially, we searched for specific emojis in the description, but this led to too many irrelevant results. However, our breakthrough came from discovering a Zero Width Space (ZWS) between two emojis! which proved to be a crucial part of our fingerprinting process

🚀​🪙

While seems like only 2 emojis there is an actual extra charter between them which was the key for the rest of the research, we suspect this is a bug in the script created by the bot.

From there we manage to find more than 300 bots with the same character, all prompting various crypto scams! 

Bad Website

Our research of the website involved thorough reconnaissance, which included analyzing the server’s subdomains, folders, information from open sources (OSINT), server fingerprinting, using specific search terms (dorks), finding Google Analytics IDs, checking Certificate Transparency, and more. Through our efforts, we discovered a custom back-end for the website that was not linked on the official site.

With the help of one of our Google dorks, we found that this admin interface had been mentioned in a Pastebin post a few months prior. This post contained a list of hundreds of similar websites that used the same back-end.

We got lucky and found that one of these sites had uploaded their sourcemaps, giving us access to full front-end code, including comments. This led us to discovering the real name of the scam platform, which we later discovered was being sold as a crypto scam framework on the darknet.

Tricky Smart Contract 

During our investigation into smart contracts, a review of the malicious transactions revealed that the contract was deceitfully asking the user to “approve all” and give permission for the contract to drain all funds from the user’s wallet. The ease of this scam is due to the prevalent high-risk nature of many Dapps today, as highlighted in a great piece by our colleagues at Zengo.

However, we wanted to dig deeper and decided to reverse-engineer the contract. Our analysis uncovered a strange opcode being triggered when the user attempted to withdraw funds. The contract checked the global variable block.basefee, represented by the 0x48 EVM opcode in EIP-3198. If this variable was equal to 0, all contract funds would be transferred to the victim – the exact opposite of a scam, leaving us puzzled.

(Stay tuned for our upcoming tutorial on how to reverse engineer contracts using ChatGPT. )

Further research led us to the solution. There are many transaction simulation tools that allow users to preview the outcome of a transaction without actually executing it. These tools are mainly wrappers for the Ethereum node implementation of trace_call/debug_traceCall.

The attacker managed to understand the implementation of the trace_call and create a code that behaves differently in a simulation than in real life to make sure no user is suspected. This means that under simulation the result would look like the victim will receive funds, while in reality, nothing is going to happen.

Such nutritious malware is rarely seen in the wild, and from our knowledge, this is the first use case of anti-vm EVM-based malware.

In conclusion, this threat-hunting project highlights the importance of thorough and multi-front research when it comes to detecting and understanding crypto scams. From bot fingerprinting and website reconnaissance to smart contract analysis, the various techniques used in this case study show how comprehensive analysis can uncover the true nature of an operation and lead to a deeper understanding of the motivations behind it.

Moreover, this case study highlights the importance of staying vigilant and cautious when it comes to online transactions, especially in the world of cryptocurrency. As the attackers in this case were able to create a convincing UI/UX, it is crucial to educate users about the dangers of phishing scams and the importance of verifying the authenticity of any website or transaction before approving it. By doing so, we can help to mitigate the risk of stolen funds and ensure a safer and more secure online environment.