A quieter week in blockchain security where we can deep dive into several interesting research articles. Check out the novel malware communication channel using Bitcoin’s OP_RETURN transactions to embed updated C2 servers, security considerations in the upcoming Ethereum Istanbul hard fork, detailed steps on executing hardware wallet side-channel attacks, and Bitcoin QR code scams.

Malware

• Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions - a malware analysis report and Appendix on the older Glupteba family targeting Windows hosts and vulnerable MikroTik routers to miner Monero, steal credentials, and proxy malicious traffic. In addition to more traditional HTTP-based C2 communication, Glupteba can locate an updated C2 server name hidden inside Bitcoin OP_RETURN transactions sent by a hard-coded Bitcoin address. Normally this type of transactions is used to embed arbitrary binary data on the blockchain which also makes it a great place to embed C2 commands. Malware also uses a publicly available Electrum node list to communicate with the Bitcoin network.
  
  Indicators:
  
  C2 Bitcoin address (follow the tx chain):
  15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6
  
  C2 Hosts:
  5[.]9[.]157[.]50
  keepmusic[.]xyz
  playfire[.]online
  venoxcontrol[.]com
  okonewacon[.]com
  blackempirebuild[.]com
  bigtext[.]club
  clubhouse[.]site
  nxtfdata[.]xyz
  lienews[.]world
  phonemus[.]net
  takebad1[.]com

Research

• Stop Using Solidity's transfer() Now - the article covers the security implications of the upcoming Istanbul hard fork and EIP 1884 related to transfer() and send() functions. The decrease in Gas cost of these instructions may be just enough to pay for a reentrant call in the future. The article outlines several safe patterns to defend against future instruct gas cost changes.

• Using TensorFlow / machine learning for automated RF side-channel attack classification - a detailed research article into the machine learning and side-channel set up used to attack Ledger Blue hardware wallets.

• QR Code Degenerators: Unmasking a Crypto Scam - a research into online QR generators found that 4 out of 5 top Google search results were scams which embedded malicious addresses instead of the intended ones.
  
  Indicators:
  
  Malicious QR Generators:
  hxxps://bitcoinqrcodegenerator[.]net/
  hxxps://btcfrog[.]com/
  hxxps://bitcoin-qr-code[.]net
  hxxps://mybitcoinqrcode[.]com/
  
  Scammer Bitcoin Addresses:
  17bCMmLmWayKGCH678cHQETJFjhBR44Hjx
  14ZGdFRaCN8wkNrHpiYLygipcLoGfvUAtg
  35mJx4EeEY7Lnkxvg1Swn1eSUN1TtQsQ3
  bc1qs4hcuqcv4e5lcd43f4jsvyx206nzkh4az05nds
  1KrHRyK9TKNU4eR5nhJdTV6rmBpmuU3dGw
  1Gg9VZe1E4XTLsmrTnB72QrsiHXKbcmBRX

• Analysis of bouncing attack on FFG - details of the attack which may cause liveness failure on the upcoming in the Ethereum Casper FFG protocol. Also, check out the related Prevention of bouncing attack on FFG article with a proposed fix.

Stay safe and see you all in the next edition of blockchain threat intelligence newsletter?

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

Never a dull week in blockchain security! This week multiple critical vulnerabilities were patched in Bitcoin Lightning projects and the Parity Ethereum node software. Interesting news of French law enforcement agency using malware infrastructure against itself to disable 850,000 malicious miner instances. Also check out the detailed McAffee report covering the latest TTPs (Tactics, Techniques, and Procedures) used by cryptocurrency related malware and actors.

News

• Capital One Hacker ‘Breached 30 Organizations And Mined Cryptocurrency,’ Claims DOJ - a recently released indictment alleges that the Capital One hacker used her access to compromised servers to mine cryptocurrency.

Bugs

• CVEs assigned for lightning projects: please upgrade! - a mailing list notification about yet unpublished vulnerabilities in Bitcoin Lightning projects urging users to upgrade. Details of the three upcoming CVEs will be released on September 27th. Patches are available.

• New Parity Ethereum update protects against RPC call vulnerability - a Denial of Service vulnerability was discovered in the Parity node implementation with a public facing RPC. Patches are available.

• A Cryptocurrency Heist, Starring Your Web Browser - a detailed exploitation report of attacking a locally running service to steal Siacoin.

• Libra bug bounty program - Facebook promises up to $10k reward for critical bugs in the upcoming Libra cryptocurrency.

Malware

• Putting an end to Retadup: A malicious worm that infected hundreds of thousands - a detailed report on the Retadup miner malware and the disinfection operation in collaboration with a French law enforcement agency. The article documents an unusual case where defenders commandeered a command and control server to issue a self-destruct command to all running malware instances.

• McAfee Labs Threats Report - August 2019 - the report documents a significant growth in the number of ransomware attacks and identifies new malware families aiming to steal wallets and mine cryptocurrencies. The analysis enumerates a number of new infection vectors and social engineering tactics used to distribute malware.

• Fortnite Ransomware Masquerades as an Aimbot Game Hack - malicious software targets powerful gaming machines to mine cryptocurrencies and encrypt files.

• XMR Cryptomining Targeting x86/i686 Systems - malware report on a family targeting IoT devices running Telnet and SSH services.

• Sodinokibi Ransomware Spreads via Fake Forums on Hacked Sites - malware report on a family spreading through fake WordPress forum posts.

Events

• #blockchainhackers vol.3 recap - a quick recap of the blockchain security event during Berlin Blockchain Week.

That’s all for this week in blockchain intelligence. Patch your nodes and stay safe out there.

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

• KeepKey

Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

Another fun week in blockchain security where a compromised RubyGem account resulted in a cryptojacking code getting added to a popular Ruby library. More details were revealed on the massive Beaxy exchange hack and PlusToken scam.

Hacks

• Malicious cryptojacking code found in 11 Ruby libraries - a compromised RubyGems maintainer account was used to upload multiple backdoored versions of the popular rest-client gem.
  
  Indicators:

  C2 Host:
  http://mironanoru.zzz.com[.]ua

Pastebin payload:
  https://pastebin[.]com/raw/5iNdELNX
  

• Moscow's blockchain voting system cracked a month before election - a 15k USD bug bounty was claimed by a French security researcher who discovered a flaw in a smart contract based Moscow City Duma election system. The smart contract implemented a weak encryption scheme which could be cracked within 20 minutes on a standard personal computer.

Research

• Beaxy — Incompetent. In Denial. Insolvent? - a great investigative report into the XRP partial payment hack of Beaxy exchange including a complete incident timeline. The total loss listed in the article was 43 BTC and 111k XRP.
  
  Indicators:
  
  XRP Addresses:
  raz97dHvnyBcnYTbXGYxhV8bGyr1aPrE5w
rTNTzZ2ewR5kLRuCTerWyKAXgBrwRjfa1
rwDGX47HETkMb4LgnYt7qCTEGKjjQpFjrp

  BTC Addresses:
  13LZMvczfqwF8aG2WSsoREf5fyvnjmUg1y
16K7aBM9HpXcgmBUswf9ix37y5VaNQuvRx

• A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses - a detailed threat model of Ethereum on application, data, consensus, network, and environment layers. The paper also includes examples of attacks and specific defense mechanisms used to protect smart contracts.

• Jump-Oriented Programming on EVM Opcode - an interesting blog post with links to the Defcon 27 Blockchain Village talk, source code and videos covering the use of JOP in smart contracts.

• 10 Million ETH: Big Mysteries Revealed About PlusToken - an investigation into the Ethereum addresses involved in the massive 10 million ETH scam. The report notes that 820k ETH are laying dormant while the remainder have been distributed among 248k Ethereum addresses with top 10 accounts holding a significant portion. Of the funds that moved to the exchanges, attackers have used Huobi for about half of total transactions with ZB[.]com, Upbit, Okex, and Gate[.]io trailing behind.
  
  Indicators:
  
  0xf4a2eff88a408ff4c4550148151c33c93442619e
0xef13a2c29f7a433aff08c60007bc276a64c7bdf5
0x32b0ccd7fd17f2a03fd0346378e750fe1c5e2194
0x4416a953b466695a65f5c0a1634982fe6c090fe9
0x6013f376191b0daa5910e69372316ab3b56d5d2e
0x7e1793bc8cc86fef0ba448076d7cb0c773fd682f
0x96afe718f1f424f0eb5ad017911fd9023918187e
0xe6515162d73013b66697851a118b67b6eb73803a
0xb100d11fd9cf3deb2995e10bdeea961ab81ade4e
0x3d2d6f622dd2a855c688b2674741fd84dcd301bb
0xd0ca6730bee060c11e3bf7759d6150b332a35080
0xdbc5acac14d5e317ca76dda5fedfbc36a26afb7e
0x98d2e9862e193d93657103362aaa6f721883b208
  
  https://github.com/elementus-io/plustoken/blob/master/plustoken-ethereum-addresses.csv
  

• Advances in Automated Smart Contract Vulnerability Detection - a great demonstration of current state of the art in smart contract security assessment using MythX.

• Bitcoin’s Security Budget is Adequate - an analysis of Bitcoin’s security from economic perspective.

Malware

• Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response - an in-depth report on a variant of a well-known cryptocurrency miner and a backdoor.
  
  Indicators:
  hxxp://js[.]mykings.top:280/v[.]sct
hxxp://js[.]mykings.top:280/helloworld[.]msi

That’s all for this week’s Blockchain Intelligence. Stay safe and don’t install miners at work, especially if you work at a Nuclear Reactor.

Protect Your Crypto

Buy a hardware wallet:

• Trezor Model T

• Ledger Nano

Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

The last few weeks without an exchange hack have unfortunately been interrupted by Beaxy which fell victim to a well known XRP exploit. A number of excellent research articles came out this week ranging from CipherTrace’s Q2 report on the whole blocksec industry to more specific papers on vulnerabilities in EOS, tracking Ethereum honeypots, PlusToken scam details, and many others. Dash fell victim to an apparent attack which resulted in masternodes crashing and transaction getting dropped.

Hacks

• Months-Old Exchange Beaxy Targeted With XRP Partial Payment Exploit, Vows to Rollback Trades - a well known and frequently abused feature in the XRP protocol was used to steal funds from Beaxy exchange. In this attack, the partial payments feature is abused to craft a transaction which only appears to have a large amount of XRP. It appears that Beaxy failed to check for the partial payments flag and credited attacker’s account with non-existent funds. A similar exploit was used to steal 7 million XRP ($2 million) from Bitopro exchange in May of this year.

Crime

• How the PlusToken Scam Absconded With Over 1 Percent of the Bitcoin Supply - details of the massive scam involving up to 4 million victims defrauded from $3 billion in cryptocurrency assets (200k BTC, 789k ETH, 26 million EOS). Most of the victims were in China, but also spread to South Korea, Japan, and other countries in Southeast Asia. Several founding members were arrested in Vanuatu; however, there are reports of stolen funds being liquidated.

• Another chunk of the Bitcoin stolen from Bitfinex has mysteriously moved - 30 BTC of the mostly dormant 119756 BTC stolen from Bitfinex was recently moved.

Bugs

• Dash Releases Upgrade In Response to Newly Exposed Vulnerabilities - an emergency patch was issued for Dash nodes to address an attack on the network which caused outages.

Research

• Q2 2019 Cryptocurrency Anti-Money Laundering Report - a must read report by CipherTrace into past quarter’s cryptocurrency crime trends, exchange compromises, and major scams.

• Who Spent My EOS? On the (In)Security of Resource Management of EOS.IO - a KAIST research paper into EOS design which uncovers four critical flaws with one of them capable of incapacitating the network altogether.

• Research into Trust-Trading Scams on Twitter - a study and statistical analysis of the common Twitter scam. The article includes a wealth of indicators available on Github.

• Applying Machine Learning for more thorough investigation of ZAIF hack - an interesting article tracking stolen funds to ChipMixer and later Binance for liquidation.

• Bypassing Smart Contract Timelocks - a collection of attack techniques and defense for a common smart contract design pattern.

• The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts - a research article into various honeypotting techniques and a corresponding web project with live addresses.

Malware

• Varonis Uncovers New Malware Strains and a Mysterious Web Shell During a Monero Cryptojacking Investigation - an interesting report into “Norman” miner malware. The malware installs XMRig miner and a PHP webshell for C2 (Command and Control) communication.

Events

• Blockchain Training Conference - the upcoming conference will features several blockchain security related workshops including CryptoCurrency Security Standard Auditor (CCSSA) Workshop, Balancing Security & Usability for your Blockchain Project, Security By Design and Smart Contract Audits, Smart Contract Development: Security and Best Practice. The conference will take place on August 28-30 in Denver, CO.

Hope you enjoyed this week’s blockchain threat intelligence report! Stay safe and see you all next week.

Protect Your Crypto

Buy a hardware wallet:

• Ledger Nano

Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240

For those of you still recovering from BlackHat/Defcon conferences, I am happy to report that the Blockchain Security village was a real success! Featuring about two dozen high quality talks and two competitions running in parallel it felt like a conference within a conference. Watch out for Defcon releasing conference recordings in the next few weeks to check out some of the talks. There are also a number of security talks coming up during the upcoming Berlin’s blockchain week covered below.

In other news, Binance was a hot topic with an extortion attempt and a cache of leaked KYC data, U.N. report on North Korea raising funds through hacking every cryptocurrency exchange and bank it can get to, an excellent APT 41 report on a Chinese nation-state actor targeting cryptocurrency industry when it’s not busy running espionage operations, and plenty of new malware to watch out for.

News:

• North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report - a report discussing at least 35 instances of attacks targeting financial institutions, cryptocurrency exchanges and miners to generate income for alienated nation state.

• Responding to Firefox 0-days in the wild - a deep dive into the exploit and the actors behind an attempted hack targeting Coinbase in June. The blog discusses a sophisticated and long-term spear phishing attack, a well prepared 0-day payload, and the response by the Coinbase Security team.

• An Extortion Gone Bad: Inside Binance’s Negotiations With Its ‘KYC Leaker’ - the story behind the recent KYC leak. The article features an interview with an alleged actor behind the leak who also suggests to have access to some of the 7000 BTC stolen from Binance in July. Binance released a separate statement regarding the leak where it discussed an apparent 300 BTC extortion attempt not to release stolen data as well as a 25 BTC reward for any information leading to the capture of the people behind the leak.

Events:

• Web3 Summit 2019 - a security node during the Web3 summit on August 19-21 will include workshops on everything Ethereum security from Solidified, MythX, Zeppelin, and others.

• #blockchainhackers vol.3 - a security meetup on August 22nd during Berlin blockchain week which will include speakers from ConsenSys, Hacken, ChainSecurity, SmartDec, and others.

• Capture the Coin - a month long CTF competition has kicked off during the Blockchain Village at Defcon and will continue until September 9th. The competition includes a number of blocksec related challenges such as smart contract exploitation, cryptography puzzles, blockchain investigations, wallet malware, and others. A number of my coworkers at Coinbase and myself have put together this competition and hope you will enjoy playing it.

• Chain Heist - an excellent CTF-style competition which includes a number of vulnerable Ethereum smart contracts covering a wide-range of security issues. The main event is over where I had a privilege to compete and win the main prize; however, all of the challenges are still up and you can play them today.

Research:

• Binance Hack 2019 – A Deep Dive Into Money Laundering And Mixing - a research article investigating the recent surge in activity of a crypto mixing service - Chipmixer. The article links the activity to BTC stolen from Binance and BitPoint exchanges.

• ShapeShift Security Update - an in-depth discussion of a recently reported side channel attack against ShapeShift (and other hardware wallets).

• Litecoin Dusting Attack - a notification and a linked research article by Binance into the ongoing dusting attack on the Litecoin network.

• Bitcoin vaults with anti-theft recovery/clawback mechanisms - a soft fork proposal to create a delay period where a wallet owner could observe and response to funds theft.

• Double Dragon - APT 41, a dual espionage and cyber crime operation - a detailed report by FireEye into a state-sponsored actor conducting a number of financially motivated intrusions in addition to espionage and surveillance operations. Group’s focus on virtual currency targets including in-game currencies, cryptocurrencies, and related services are of particular interest to the readers. The report provides detailed view of group’s malware capabilities, initial compromise and further exploitation techniques. In at least one instance the group attempted to install ransomware and in another deployed XMRig miner.
  
  Indicators:
  
  Domains:
  agegamepay[.]com
  ageofwuxia[.]com
  ageofwuxia[.]info
  ageofwuxia[.]net
  ageofwuxia[.]org
  bugcheck.xigncodeservice[.]com
  byeserver[.]com
  dnsgogle[.]com
  gamewushu[.]com
  gxxservice[.]com
  ibmupdate[.]com
  infestexe[.]com
  kasparsky[.]net
  linux-update[.]net
  macfee[.]ga
  micros0ff[.]com
  micros0tf[.]com
  notped[.]com
  operatingbox[.]com
  paniesx[.]com
  serverbye[.]com
  sexyjapan.ddns[.]info
  symanteclabs[.]com
  techniciantext[.]com
  win7update[.]net
  xigncodeservice[.]com

  URLs:
  https://docs.google[.]com/document/d/1lCySd5ZNGj9Jz8pigZsuv8lciusYKqOqORpe2EOzgmU
  https://docs.google[.]com/document/d/1KJ_RJRtkKhcuJjXOCKtEOLuwH3sRi72PUhtfukncyRc
  https://docs.google[.]com/document/d/1TkTC3fHUvEBsBurZIGw7Kf5YsPjblpahlFksRDCuTo
  https://docs.google[.]com/document/d/1iQwnF3ibWPZ6-95VHrRAPrL6u_UT_K7X-rQrB7xt95k
  https://steamcommunity[.]com/id/119887132
  https://steamcommunity[.]com/id/869406565
  https://steamcommunity[.]com/id/oswal053

  Email Addresses:
  akbklxp@126[.]com
  akbklxp@163[.]com
  hackershby@126[.]com
  hrsimon59@gmail[.]com
  injuriesa@126[.]com
  injuriesa@163[.]com
  injuriesa@gmail[.]com
  injuriesa@hotmail[.]com
  injuriesa@qq[.]com
  kbklxp@126[.]com
  petervc1983@gmail[.]com
  ravinder10@126[.]com
  ravinder10@hotmail[.]com
  ravinder10@sohu[.]com
  wolf_zhi@yahoo[.]com

• 246 Findings From our Smart Contract Audits: An Executive Summary - a details statistical analysis of vulnerability classes discovered as part of 23 security audits with a total of 246 security findings. Data validation and access control flaws were the most common findings constituting 36% and 10% of total findings respectively. The report also points out that almost 49% of the findings are unlikely to be discovered with static or dynamic analysis tools and require a human auditor to detect.

• The Elliptic Data Set: opening up machine learning on the blockchain - background information on the recently released bitcoin transaction data set.

• Bitcoin Security under Temporary Dishonest Majority - a research study which examines several scenarios where a dishonest majority temporarily takes over the Bitcoin network.

Malware:

• Access Mining - How a Prominent Cryptomining Botnet is Paving the Way for a Lucrative and Illicit Revenue Model - a Carbon Black detailed report on a Smominru cryptominer which now started to exfiltrate data and provide remote access. The campaign has links Smominru to a separate MyKings botnet and a marketplace which sells access to infected hosts.

• Clipsa – Multipurpose password stealer - an Avast Antivirus report on a Visual Basic malware sample capable of steal cryptocurrency wallets, brute-forcing Wordpress credentials, silently changing cryptocurrency addresses in clipboard, and installing XMRig miner.
  
  Indicators:
  
  Network Indicators:
  http[:]//besttipsfor[.]com
  http[:]//chila[.]store
  http[:]//globaleventscrc[.]com
  http[:]//ionix.co[.]id
  http[:]//mahmya[.]com
  http[:]//mohanchandran[.]com
  http[:]//mutolarahsap[.]com
  http[:]//northkabbadi[.]com
  http[:]//poly.ufxtools[.]com
  http[:]//raiz[.]ec
  http[:]//rhsgroup[.]ma
  http[:]//robinhurtnamibia[.]com
  http[:]//sloneczna10tka[.]pl
  http[:]//stepinwatchcenter[.]se
  http[:]//topfinsignals[.]com
  http[:]//tripindiabycar[.]com
  http[:]//videotroisquart[.]net
  http[:]//wbbministries[.]org
  
  BTC Addresses (Clipboard replacement):
  https://github.com/avast/ioc/blob/master/Clipsa/appendix_files/btc_addresses_complete.txt
  
  ETH Address (Clipboard replacement):
  0x4966DB520B0680fC19df5d7774cA96F42E6aBD4F
  

• Saefko: A new multi-layered RAT - a Zscaler report into a new .NET malware with remote execute, keylogging, connection proxying, and data stealing capabilities. The malware is interesting because it specifically targets machines with evidence of user visiting major cryptocurrency company websites including Coinbase, Kraken, Shapeshift, Bitfinex, and others.
  
  Indicators:
  
  Md5:
  D9B0ECCCA3AF50E9309489848EB59924
  C4825334DA8AA7EA9E81B6CE18F9C15F
  952572F16A955745A50AAF703C30437C
  4F2607FAEC3CB30DC8C476C7029F9046
  7CCCB06681E7D62B2315761DBE3C81F9
  5B516EAB606DC3CC35B0494643129058

  Downloader URL:
  industry.aeconex[.]com/receipt-inv.zip
  3.121.182[.]157/dwd/explorer.exe
  3.121.182[.]157/dwd/vmp.exe
  deqwrqwer.kl[.]com.ua/ex/explorer.exe
  maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip

  Network URL:
  acpananma[.]com/love/server.php
  3.121.182[.]157/smth/server.php
  f0278951.xsph[.]ru/server.php
  maprivate[.]date/server.php

Media:

• Hashing It Out #55 – Diligence – Steve Marx - an interesting podcast into the birth and mission of ConsenSys Dilligence to secure Ethereum smart contracts.

Tools:

• Crytic: Continuous Assurance for Smart Contracts - a continuous integration tool to automatically run an array of smart contract security tests.

That’s all for this busy week in blockchain threat intelligence. Stay safe and see you next week?