Week 36, 2019

Gluteba | Istanbul | QR | Side-Channel

A quieter week in blockchain security where we can deep dive into several interesting research articles. Check out the novel malware communication channel using Bitcoin’s OP_RETURN transactions to embed updated C2 servers, security considerations in the upcoming Ethereum Istanbul hard fork, detailed steps on executing hardware wallet side-channel attacks, and Bitcoin QR code scams.

Malware

  • Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions - a malware analysis report and Appendix on the older Glupteba family targeting Windows hosts and vulnerable MikroTik routers to miner Monero, steal credentials, and proxy malicious traffic. In addition to more traditional HTTP-based C2 communication, Glupteba can locate an updated C2 server name hidden inside Bitcoin OP_RETURN transactions sent by a hard-coded Bitcoin address. Normally this type of transactions is used to embed arbitrary binary data on the blockchain which also makes it a great place to embed C2 commands. Malware also uses a publicly available Electrum node list to communicate with the Bitcoin network.

    Indicators:

    C2 Bitcoin address (follow the tx chain):
    15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6

    C2 Hosts:
    5[.]9[.]157[.]50
    keepmusic[.]xyz
    playfire[.]online
    venoxcontrol[.]com
    okonewacon[.]com
    blackempirebuild[.]com
    bigtext[.]club
    clubhouse[.]site
    nxtfdata[.]xyz
    lienews[.]world
    phonemus[.]net
    takebad1[.]com

Research

  • Stop Using Solidity's transfer() Now - the article covers the security implications of the upcoming Istanbul hard fork and EIP 1884 related to transfer() and send() functions. The decrease in Gas cost of these instructions may be just enough to pay for a reentrant call in the future. The article outlines several safe patterns to defend against future instruct gas cost changes.

  • Using TensorFlow / machine learning for automated RF side-channel attack classification - a detailed research article into the machine learning and side-channel set up used to attack Ledger Blue hardware wallets.

  • QR Code Degenerators: Unmasking a Crypto Scam - a research into online QR generators found that 4 out of 5 top Google search results were scams which embedded malicious addresses instead of the intended ones.

    Indicators:

    Malicious QR Generators:
    hxxps://bitcoinqrcodegenerator[.]net/
    hxxps://btcfrog[.]com/
    hxxps://bitcoin-qr-code[.]net
    hxxps://mybitcoinqrcode[.]com/


    Scammer Bitcoin Addresses:
    17bCMmLmWayKGCH678cHQETJFjhBR44Hjx
    14ZGdFRaCN8wkNrHpiYLygipcLoGfvUAtg
    35mJx4EeEY7Lnkxvg1Swn1eSUN1TtQsQ3
    bc1qs4hcuqcv4e5lcd43f4jsvyx206nzkh4az05nds
    1KrHRyK9TKNU4eR5nhJdTV6rmBpmuU3dGw
    1Gg9VZe1E4XTLsmrTnB72QrsiHXKbcmBRX

  • Analysis of bouncing attack on FFG - details of the attack which may cause liveness failure on the upcoming in the Ethereum Casper FFG protocol. Also, check out the related Prevention of bouncing attack on FFG article with a proposed fix.

Stay safe and see you all in the next edition of blockchain threat intelligence newsletter?


Protect Your Crypto

Buy a hardware wallet:


Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

Week 35, 2019

Lightning | Parity | Siacoin | Retadup

Never a dull week in blockchain security! This week multiple critical vulnerabilities were patched in Bitcoin Lightning projects and the Parity Ethereum node software. Interesting news of French law enforcement agency using malware infrastructure against itself to disable 850,000 malicious miner instances. Also check out the detailed McAffee report covering the latest TTPs (Tactics, Techniques, and Procedures) used by cryptocurrency related malware and actors.

News

Bugs

Malware

Events

That’s all for this week in blockchain intelligence. Patch your nodes and stay safe out there.


Protect Your Crypto

Buy a hardware wallet:


Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

Week 34, 2019

RubyGem | Beaxy | Moscow | PlusToken

Another fun week in blockchain security where a compromised RubyGem account resulted in a cryptojacking code getting added to a popular Ruby library. More details were revealed on the massive Beaxy exchange hack and PlusToken scam.

Hacks

Research

  • Beaxy — Incompetent. In Denial. Insolvent? - a great investigative report into the XRP partial payment hack of Beaxy exchange including a complete incident timeline. The total loss listed in the article was 43 BTC and 111k XRP.

    Indicators:

    XRP Addresses:
    raz97dHvnyBcnYTbXGYxhV8bGyr1aPrE5w
    rTNTzZ2ewR5kLRuCTerWyKAXgBrwRjfa1
    rwDGX47HETkMb4LgnYt7qCTEGKjjQpFjrp

    BTC Addresses:
    13LZMvczfqwF8aG2WSsoREf5fyvnjmUg1y
    16K7aBM9HpXcgmBUswf9ix37y5VaNQuvRx

  • A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses - a detailed threat model of Ethereum on application, data, consensus, network, and environment layers. The paper also includes examples of attacks and specific defense mechanisms used to protect smart contracts.

  • Jump-Oriented Programming on EVM Opcode - an interesting blog post with links to the Defcon 27 Blockchain Village talk, source code and videos covering the use of JOP in smart contracts.

  • 10 Million ETH: Big Mysteries Revealed About PlusToken - an investigation into the Ethereum addresses involved in the massive 10 million ETH scam. The report notes that 820k ETH are laying dormant while the remainder have been distributed among 248k Ethereum addresses with top 10 accounts holding a significant portion. Of the funds that moved to the exchanges, attackers have used Huobi for about half of total transactions with ZB[.]com, Upbit, Okex, and Gate[.]io trailing behind.

    Indicators:

    0xf4a2eff88a408ff4c4550148151c33c93442619e
    0xef13a2c29f7a433aff08c60007bc276a64c7bdf5
    0x32b0ccd7fd17f2a03fd0346378e750fe1c5e2194
    0x4416a953b466695a65f5c0a1634982fe6c090fe9
    0x6013f376191b0daa5910e69372316ab3b56d5d2e
    0x7e1793bc8cc86fef0ba448076d7cb0c773fd682f
    0x96afe718f1f424f0eb5ad017911fd9023918187e
    0xe6515162d73013b66697851a118b67b6eb73803a
    0xb100d11fd9cf3deb2995e10bdeea961ab81ade4e
    0x3d2d6f622dd2a855c688b2674741fd84dcd301bb
    0xd0ca6730bee060c11e3bf7759d6150b332a35080
    0xdbc5acac14d5e317ca76dda5fedfbc36a26afb7e
    0x98d2e9862e193d93657103362aaa6f721883b208


    https://github.com/elementus-io/plustoken/blob/master/plustoken-ethereum-addresses.csv

  • Advances in Automated Smart Contract Vulnerability Detection - a great demonstration of current state of the art in smart contract security assessment using MythX.

  • Bitcoin’s Security Budget is Adequate - an analysis of Bitcoin’s security from economic perspective.

Malware

That’s all for this week’s Blockchain Intelligence. Stay safe and don’t install miners at work, especially if you work at a Nuclear Reactor.


Protect Your Crypto

Buy a hardware wallet:


Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

Week 33, 2019

Beaxy | PlusToken | Dash | EOS

The last few weeks without an exchange hack have unfortunately been interrupted by Beaxy which fell victim to a well known XRP exploit. A number of excellent research articles came out this week ranging from CipherTrace’s Q2 report on the whole blocksec industry to more specific papers on vulnerabilities in EOS, tracking Ethereum honeypots, PlusToken scam details, and many others. Dash fell victim to an apparent attack which resulted in masternodes crashing and transaction getting dropped.

Hacks

Crime

Bugs

Research

Malware

Events

Hope you enjoyed this week’s blockchain threat intelligence report! Stay safe and see you all next week.


Protect Your Crypto

Buy a hardware wallet:


Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

Week 32, 2019

Blockchain Village | Binance | Coinbase | APT41

For those of you still recovering from BlackHat/Defcon conferences, I am happy to report that the Blockchain Security village was a real success! Featuring about two dozen high quality talks and two competitions running in parallel it felt like a conference within a conference. Watch out for Defcon releasing conference recordings in the next few weeks to check out some of the talks. There are also a number of security talks coming up during the upcoming Berlin’s blockchain week covered below.

In other news, Binance was a hot topic with an extortion attempt and a cache of leaked KYC data, U.N. report on North Korea raising funds through hacking every cryptocurrency exchange and bank it can get to, an excellent APT 41 report on a Chinese nation-state actor targeting cryptocurrency industry when it’s not busy running espionage operations, and plenty of new malware to watch out for.

News:

Events:

  • Web3 Summit 2019 - a security node during the Web3 summit on August 19-21 will include workshops on everything Ethereum security from Solidified, MythX, Zeppelin, and others.

  • #blockchainhackers vol.3 - a security meetup on August 22nd during Berlin blockchain week which will include speakers from ConsenSys, Hacken, ChainSecurity, SmartDec, and others.

  • Capture the Coin - a month long CTF competition has kicked off during the Blockchain Village at Defcon and will continue until September 9th. The competition includes a number of blocksec related challenges such as smart contract exploitation, cryptography puzzles, blockchain investigations, wallet malware, and others. A number of my coworkers at Coinbase and myself have put together this competition and hope you will enjoy playing it.

  • Chain Heist - an excellent CTF-style competition which includes a number of vulnerable Ethereum smart contracts covering a wide-range of security issues. The main event is over where I had a privilege to compete and win the main prize; however, all of the challenges are still up and you can play them today.

Research:

  • Binance Hack 2019 – A Deep Dive Into Money Laundering And Mixing - a research article investigating the recent surge in activity of a crypto mixing service - Chipmixer. The article links the activity to BTC stolen from Binance and BitPoint exchanges.

  • ShapeShift Security Update - an in-depth discussion of a recently reported side channel attack against ShapeShift (and other hardware wallets).

  • Litecoin Dusting Attack - a notification and a linked research article by Binance into the ongoing dusting attack on the Litecoin network.

  • Bitcoin vaults with anti-theft recovery/clawback mechanisms - a soft fork proposal to create a delay period where a wallet owner could observe and response to funds theft.

  • Double Dragon - APT 41, a dual espionage and cyber crime operation - a detailed report by FireEye into a state-sponsored actor conducting a number of financially motivated intrusions in addition to espionage and surveillance operations. Group’s focus on virtual currency targets including in-game currencies, cryptocurrencies, and related services are of particular interest to the readers. The report provides detailed view of group’s malware capabilities, initial compromise and further exploitation techniques. In at least one instance the group attempted to install ransomware and in another deployed XMRig miner.

    Indicators:

    Domains:
    agegamepay[.]com
    ageofwuxia[.]com
    ageofwuxia[.]info
    ageofwuxia[.]net
    ageofwuxia[.]org
    bugcheck.xigncodeservice[.]com
    byeserver[.]com
    dnsgogle[.]com
    gamewushu[.]com
    gxxservice[.]com
    ibmupdate[.]com
    infestexe[.]com
    kasparsky[.]net
    linux-update[.]net
    macfee[.]ga
    micros0ff[.]com
    micros0tf[.]com
    notped[.]com
    operatingbox[.]com
    paniesx[.]com
    serverbye[.]com
    sexyjapan.ddns[.]info
    symanteclabs[.]com
    techniciantext[.]com
    win7update[.]net
    xigncodeservice[.]com

    URLs:
    https://docs.google[.]com/document/d/1lCySd5ZNGj9Jz8pigZsuv8lciusYKqOqORpe2EOzgmU
    https://docs.google[.]com/document/d/1KJ_RJRtkKhcuJjXOCKtEOLuwH3sRi72PUhtfukncyRc
    https://docs.google[.]com/document/d/1TkTC3fHUvEBsBurZIGw7Kf5YsPjblpahlFksRDCuTo
    https://docs.google[.]com/document/d/1iQwnF3ibWPZ6-95VHrRAPrL6u_UT_K7X-rQrB7xt95k
    https://steamcommunity[.]com/id/119887132
    https://steamcommunity[.]com/id/869406565
    https://steamcommunity[.]com/id/oswal053

    Email Addresses:
    akbklxp@126[.]com
    akbklxp@163[.]com
    hackershby@126[.]com
    hrsimon59@gmail[.]com
    injuriesa@126[.]com
    injuriesa@163[.]com
    injuriesa@gmail[.]com
    injuriesa@hotmail[.]com
    injuriesa@qq[.]com
    kbklxp@126[.]com
    petervc1983@gmail[.]com
    ravinder10@126[.]com
    ravinder10@hotmail[.]com
    ravinder10@sohu[.]com
    wolf_zhi@yahoo[.]com

  • 246 Findings From our Smart Contract Audits: An Executive Summary - a details statistical analysis of vulnerability classes discovered as part of 23 security audits with a total of 246 security findings. Data validation and access control flaws were the most common findings constituting 36% and 10% of total findings respectively. The report also points out that almost 49% of the findings are unlikely to be discovered with static or dynamic analysis tools and require a human auditor to detect.

  • The Elliptic Data Set: opening up machine learning on the blockchain - background information on the recently released bitcoin transaction data set.

  • Bitcoin Security under Temporary Dishonest Majority - a research study which examines several scenarios where a dishonest majority temporarily takes over the Bitcoin network.

Malware:

  • Access Mining - How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model - a Carbon Black detailed report on a Smominru cryptominer which now started to exfiltrate data and provide remote access. The campaign has links Smominru to a separate MyKings botnet and a marketplace which sells access to infected hosts.

  • Clipsa – Multipurpose password stealer - an Avast Antivirus report on a Visual Basic malware sample capable of steal cryptocurrency wallets, brute-forcing Wordpress credentials, silently changing cryptocurrency addresses in clipboard, and installing XMRig miner.

    Indicators:

    Network Indicators:
    http[:]//besttipsfor[.]com
    http[:]//chila[.]store
    http[:]//globaleventscrc[.]com
    http[:]//ionix.co[.]id
    http[:]//mahmya[.]com
    http[:]//mohanchandran[.]com
    http[:]//mutolarahsap[.]com
    http[:]//northkabbadi[.]com
    http[:]//poly.ufxtools[.]com
    http[:]//raiz[.]ec
    http[:]//rhsgroup[.]ma
    http[:]//robinhurtnamibia[.]com
    http[:]//sloneczna10tka[.]pl
    http[:]//stepinwatchcenter[.]se
    http[:]//topfinsignals[.]com
    http[:]//tripindiabycar[.]com
    http[:]//videotroisquart[.]net
    http[:]//wbbministries[.]org

    BTC Addresses (Clipboard replacement):
    https://github.com/avast/ioc/blob/master/Clipsa/appendix_files/btc_addresses_complete.txt

    ETH Address (Clipboard replacement):
    0x4966DB520B0680fC19df5d7774cA96F42E6aBD4F

  • Saefko: A new multi-layered RAT - a Zscaler report into a new .NET malware with remote execute, keylogging, connection proxying, and data stealing capabilities. The malware is interesting because it specifically targets machines with evidence of user visiting major cryptocurrency company websites including Coinbase, Kraken, Shapeshift, Bitfinex, and others.

    Indicators:

    Md5:

    D9B0ECCCA3AF50E9309489848EB59924
    C4825334DA8AA7EA9E81B6CE18F9C15F
    952572F16A955745A50AAF703C30437C
    4F2607FAEC3CB30DC8C476C7029F9046
    7CCCB06681E7D62B2315761DBE3C81F9
    5B516EAB606DC3CC35B0494643129058

    Downloader URL:
    industry.aeconex[.]com/receipt-inv.zip
    3.121.182[.]157/dwd/explorer.exe
    3.121.182[.]157/dwd/vmp.exe
    deqwrqwer.kl[.]com.ua/ex/explorer.exe
    maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip

    Network URL:
    acpananma[.]com/love/server.php
    3.121.182[.]157/smth/server.php
    f0278951.xsph[.]ru/server.php
    maprivate[.]date/server.php

Media:

Tools:

That’s all for this busy week in blockchain threat intelligence. Stay safe and see you next week?

Loading more posts…