| Category:
Adversary Intelligence |
Industry:
Finance & Banking |
Motivation:
Financial |
Region:
Global |
Source*:
C3 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Private drainer for Metamask which is capable of transferring cryptocurrency from the victim’s wallet to the attacker's wallet.
|
- Loss of funds, tokens and cryptocurrency.
- Loss of reputation and trust of the brand, MetaMask.
|
- Do not share your secret recovery phrase.
- Do not log in or connect your wallet on the website.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a private drainer for MetaMask, which can transfer the cryptocurrency from the victim’s wallet to the attacker's wallet.
- The threat actor was offering the drainer service for USD 1,500.
- The following services are offered on sale:
- Drainer File
- Software to write off tokens/NAT
- Sending logs to Telegram
- Installation support for drainer
- The script checks the wallets of the following three networks:
- Ethereum mainnet (ERC)
- Binance smart chain mainnet (BSC)
- Polygon mainnet (Polygon)
[caption id="attachment_20907" align="alignnone" width="1065"]
Threat actor’s advertisement[/caption]
Information about MetaMask
- MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain.
- It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications.
- MetaMask supports all kinds of tokens (regular, NFT or non-fungible token).
[caption id="attachment_20908" align="alignnone" width="600"]
MetaMask Logo[/caption]
Information about the Drainer
- The victim will be redirected to the fake phishing site where the victim would be asked to connect to the MetaMask wallet.
- The script will check the cost of everything that is available on the wallet (money, tokens, NFT) in the three networks (ERC, BSC, Polygon).
- The script suggests making an approval (or allowing access to tokens or NFT) or sending a coin. Once the person clicks to allow this, a separate software steals off what the approval was made for.
- The private drainer transfers the cryptocurrency from the victim’s wallet to the attacker's wallet.
- The drainer will send all the activity logs to the attacker via Telegram and notify about the tokens and approved transactions.
- The drainer doesn't require an additional signature to authenticate the transaction which is usually required when sending tokens, NFTs, or coins.
[caption id="attachment_20909" align="alignnone" width="1200"]
Pictorial representation of the stealing process[/caption]
Information from a Sensitive Source
A sensitive source in contact with the threat actor has ascertained that:
- The actor shared a video sample which demonstrated the process of transfer of a token from the victim’s wallet to the attacker’s wallet.
- The video also disclosed the wallet addresses of both the actor and the victim.
- It is possible that the associated wallet addresses were dummy wallets used by the threat actor.
Information from Cybercrime Forums
- Several threat actors were observed offering similar scripting services to steal the tokens from wallets.
- The following kinds of token drainers were advertised for MetaMask:
- Drainer with one signature
- Drainer with signature and auto transfer
- Drainer to write off all crypt
Information from OSINT
- CloudSEK researchers have observed various phishing campaigns targeting the customers and users of MetaMask under the guise of completing KYC or verification of wallet.
- The threat actors take the help of emails to trap the victim to direct them to the fake phishing sites incorporated with scripts and drainers.
- It was also observed that a Chinese-origin threat actor named “SeaFlower” was using the cloned website for MetaMask to lure the victims to download a trojanized version of MetaMask for stealing the wallet’s balance and tokens.
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
September 2022 |
| Reputation |
Low (Multiple complaints and concerns on the forum) |
| Current Status |
Active |
| History |
Dealing with private drainer for MetaMask |
| Rating |
C3 (C: Fairly reliable; 3: Possibly true) |
Impact & Mitigation
| Impact |
Mitigation |
- Loss of funds, tokens and cryptocurrency.
- Loss of reputation and trust of the MetaMask brand.
- Sensitive information like secret recovery phrases and wallet details can be used by threat actors to gain access to the wallet.
|
- Do not share secret recovery phrases.
- Do not log in or connect your wallet on the website.
- Consider getting a hardware wallet.
- Be vigilant about checking the website’s legitimacy.
|
References
Appendix
Multiple threat actors advertising MetaMask drainer services on cybercrime forums
Fake emails used by actors to lure the victim to MetaMask phishing pages
[caption id="attachment_20916" align="alignnone" width="896"]
Transaction history of the actor’s wallet[/caption]
[caption id="attachment_20917" align="alignnone" width="1056"]
Sample images shared by threat actor[/caption]
[caption id="attachment_20918" align="alignnone" width="1176"]
Sample images shared by threat actor[/caption]
[caption id="attachment_20919" align="alignnone" width="1045"]
Sample images shared by threat actor[/caption]
[caption id="attachment_20920" align="alignnone" width="469"]
Sample image shared by threat actor showing log[/caption]
[caption id="attachment_20921" align="alignnone" width="1152"]
Sample image of script shared by threat actor[/caption]
[caption id="attachment_20922" align="alignnone" width="1280"]
Sample image of a fake website shared by the threat actor[/caption]
[caption id="attachment_20923" align="alignnone" width="1821"]
Transaction history of the threat actor’s wallet[/caption]
