# Endless Drainer 2024 - 12 - 19 ## details Drainer observed during Pudgy Penguins Pengu token airdrop, instance utilized idn attack vectors along with mobile only detonation to increase effectiveness, when instance was scanned as most scanning platforms default to desktop user-agents instance scan would redirect to legitimate domain: `pudgypenguins[.]com`, however when interacted with on a mobile platform unit instead phishing user credentials. ### urlscan detection query ```shell hash:"f6b6bb2765d371dda37b91e1eadf0b2829e7cc395624ea6b8474dcd07df62830" NOT domain:pudgypenguins.com ``` [link to urlscan search query](https://urlscan.io/search/#hash%3A%22f6b6bb2765d371dda37b91e1eadf0b2829e7cc395624ea6b8474dcd07df62830%22%20NOT%20domain%3Apudgypenguins.com) ## samples domain:pengu-cto[.]com https://urlscan.io/result/ff6b5d14-bdd1-4df0-98ac-dffb5924921e#transactions filenames: - wallect-connect-v4[.]js - onboard[.]js - endless[.]js Filenames which can be observed in other associated Endless drainer samples; instances are not from redirect sample. Desktop redirect sample linked for reference [https://urlscan.io/result/2c062788-f910-4032-838d-8e16e4352779/dom/](https://urlscan.io/result/2c062788-f910-4032-838d-8e16e4352779/dom/) ### idn attack sample ```claim[.]pudgypengujns[.]io``` https://urlquery.net/report/c8c9c027-bceb-4a4f-b4d9-f071e7021060 ### desktop urlscan sample https://urlscan.io/result/340a0a2b-aebd-45eb-aa32-19829f3ec631#transactions Once again please note the usage of the fraudulent pudgypenguins domain, and how the behaviors vary from desktop to mobile. ### successful execution on mobile https://tria.ge/241219-brag2szrfs/behavioral1 where endless successfully triggers domains ``` airdrop[.]pudgypenguin[.]page clai[.]pudygpenguins[.]com claim-pudgypengueins[.]com claim-pudgypenguens[.]com claim-pudgypenguinis[.]com claim-pudgypenguins[.]pages[.]dev claim-pudgypenguins[.]xyz claim-pudgypenquins[.]com claim[.]pudgyepeneguins[.]com claim[.]pudgypeneguins[.]com claim[.]pudgypenguinis[.]com claim[.]pudgypengujns[.]com claim[.]pudgypengujns[.]io claim[.]pudgypengulns[.]io claim[.]pudgypengunis[.]com claim[.]pudgypengus[.]xyz claim[.]pudgypenuguins[.]com claim[.]pudypenguins[.]com claimes-pengu[.]com claimpengu[.]pages[.]dev claimpudgypenguins[.]com claims-pudgypenguins[.]com claims[.]airdrop-pudgypenguin[.]com event-pudgypengiun[.]com get-pengu[.]com pemgu-sol[.]com penggu-sol[.]com pengu[.]com-distirbiution[.]xyz penguu-sol[.]com pudgipenguins[.]com pudgypeneguins[.]com pudgypenguins-dhq[.]pages[.]dev pudgypengunis[.]com pudgypenguuins[.]com pudgypenkuins[.]com pudgypenquins[.]claims pudgyreclaim[.]pages[.]dev pudqypenguins[.]claims pudygpenguins[.]com pudypenguins[.]com test-d93[.]pages[.]dev test3-5g3[.]pages[.]dev www[.]claim-pudgypenguins[.]xyz www[.]pudgypenguins-claim[.]xyz ``` | Path | Filename | Link | |:------------------------------------------------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------- | | claim[.]pudgypengujns[.]io | - | https://urlscan.io/result/2c062788-f910-4032-838d-8e16e4352779 | | https://urlscan.io/result/2c062788-f910-4032-838d-8e16e4352779/dom | - | https://urlscan.io/result/2c062788-f910-4032-838d-8e16e4352779/dom | | /npm/alpinejs@3.x.x/dist/cdn.min.js | cdn.min.js | https://pro.urlscan.io/search?query=hash%3A%22afa01262b1e213446762714f332b7a12c4e85ec66c508d7de2060514936e8c82%22 | | /assets/images/content/banner.jpg | banner.jpg | https://pro.urlscan.io/search?query=hash%3A%22efafde93b4c8cec43215ff8059675f78eb15c034e909f244f842e09a38ce420f%22 | | /assets/styles/water.min.css | water.min.css | https://pro.urlscan.io/search?query=hash%3A%22df8560f86d441207326b2aa20176e0cdbe5d25eda371c7b45021c4828369bf80%22 | | /assets/styles/style.css | style.css | https://pro.urlscan.io/search?query=hash%3A%220d800d18439ab770145ee46edfb0c05dfb0b3a8dcece5ae33aa567d1704082b7%22 | | /cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js | email-decode.min.js | https://pro.urlscan.io/search?query=hash%3A%222595496fe48df6fcf9b1bc57c29a744c121eb4dd11566466bc13d2e52e6bbcc8%22 | | /favicon.ico | favicon.ico | https://pro.urlscan.io/search?query=hash%3A%22f6b6bb2765d371dda37b91e1eadf0b2829e7cc395624ea6b8474dcd07df62830%22 | - https://parzival.sh/blog/leveraging-google-amp-to-exploit-open-redirection-vulnerabilities - https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/ - https://www.filescan.io/uploads/6763a1067b5c523262502e5d/reports/01b17545-37a5-4f09-8fd5-af1c3ddc6578/ioc - https://pro.urlscan.io/result/5da380f0-5dc6-45b3-9721-ec7e4c4312d5/dom - https://pro.urlscan.io/search?before=1734478908650%2Cfec6d94e-24aa-49bc-80ee-d908b5905dc0&limit=500&query=hash%3A%22f6b6bb2765d371dda37b91e1eadf0b2829e7cc395624ea6b8474dcd07df62830%22%20NOT%20domain%3Apudgypenguins.com - https://privatebin.net/?8f7fb1d75567226a#HJtgchT5kCE7bER4YxxiZMxSaX81Ep7BnS2QcdsVMKk5