Cunning Phishing in the Dark Forest

SlowMist
7 min readJul 26, 2024

--

Background

On July 25, 2024, MonoSwap (@monoswapio) issued a warning on Twitter, revealing that their platform had been hacked. They urged users to stop adding funds to their liquidity pools or staking in their farm pools. The attack occurred because a MonoSwap developer, during a meeting with a fake venture capital entity the previous day, installed malware (https[:]//kakaocall[.]kr) on their computer. This malware allowed hackers to gain control of the developer’s wallet and related contracts, leading to the extraction of staked funds and significant losses.

(https://x.com/monoswapio/status/1816151998267547851)

Incident Connection

On the same day, our Security Team discovered that a phishing link mentioned above was included in the pinned tweet of an AMA event hosted by @OurTinTinLand regarding an airdrop.

With assistance from the SlowMist Security Team, TinTinLand promptly resolved the account compromise issue and reinforced their Twitter account’s security through authorization reviews and additional measures.

(https://x.com/OurTinTinLand/status/1816358544402444462)

Incident Analysis

Although the phishing domain kakaocall[.]kr has been shut down and its malicious content is no longer accessible, an snapshot linked it to a similar phishing domain, kakaocall[.]com.

A comparison of historical webpage snapshots revealed that the code for kakaocall[.]com and kakaocall[.]kr was identical, indicating they were operated by the same group.

The malicious software linked to kakaocall[.]com directed users to https[:]//taxupay[.]com/process[.]php and https[:]//www.dropbox[.]com/scl/fi/ysnjinmlpcpdxel050mmb/KakaoCall[.]exe?rlkey=drj8bfnd0zzvmcocexz93b6ky&st=28in0iw3&dl=1.

Further deep-tracing by our security team uncovered several similar phishing scams. On June 26, 2024, Twitter user Metadon (@metadonprofits) described a scam where the perpetrator, posing as a representative of @NibiruChain, contacted him. The scam involved creating a group chat on Telegram, including fake Web3 company founders to build trust. The scammer then persuaded the victim to have a video call on KakaoTalk, a popular South Korean messaging app. Since the victim didn’t have the app, the scammer sent a link, claiming it was an official download link for the app, which was actually a phishing link.

(https://x.com/metadonprofits/status/1805714156068520251)

As we continued our in-depth analysis, many victims reached out to us, providing valuable information. Our investigation revealed that this was a well-organized, highly technical hacker group skilled in social engineering. They posed as legitimate project teams, creating polished websites, social media accounts, project repositories, and even published whitepapers. They also registered on Web3 project listing platforms, making their operations appear legitimate. This led many victims to believe these were real projects, resulting in significant attacks. Due to the numerous cases involved, we will analyze two particularly notable cases.

Case Analysis 1

In the first case, hackers engaged victims in conversations on social platforms, leading them to visit the malicious phishing site https[:]//wasper[.]app and download a malicious application.

Deployment Time:

Windows Malicious Program Download Link:

https[:]//www.dropbox[.]com/scl/fi/3t95igxg3uvwthl2k9wcn/Wasper-Setup[.]exe?rlkey=xjt92pfebn1m0np52fbt5k3rl&st=a24xyedp&dl=1

macOS Malicious Program Download Link:

https[:]//www.dropbox[.]com/scl/fi/r8h40oyan354nqyx35mus/Wasper[.]dmg?rlkey=k88x68bxslsywnp98zb1cp260&st=hibpe07j&dl=1

Upon analyzing the phishing site https[:]//wasper[.]app, we found that it was professionally designed and linked to a corresponding GitHub project.

Upon visiting the open-source project link https[:]//github[.]com/wasperai/wasper, we discovered that the hackers had artificially inflated the Watch, Fork, and Star metrics to make the fake project seem credible.

To further enhance the deception, the attackers even added contributors from other projects to the fake project and included the phishing website’s domain in the repository.

The interlinking information between the phishing site, fake project, and Twitter account made the operation appear legitimate. This highlights the attackers’ proficiency in manipulating human behavior and guiding victims into traps, showcasing their skills in hacking and social engineering.

Case Analysis 2

Another phishing incident involving dexis[.]app showed similarities to the tactics used in the wasper[.]app case. Attackers engaged targets on social platforms, leading them to register on the phishing site dexis[.]app and download malicious software.

The source code for this attack (https[:]//github[.]com/DexisApp/Dexis) used the same template as the wasper incident.

Attackers listed the project’s website and whitepaper on Linktree, creating a highly deceptive appearance. During our analysis, we initially believed it was a legitimate project that had been hacked, but the recurrence of similar cases led us to conclude that this was a meticulously planned attack.

Upon visiting dexis[.]app, we found that the method for downloading the malicious software redirected to the trojan URL https[:]//1processmerch.com/process[.]php. However, this download link was no longer active, preventing us from obtaining the trojan sample.

The trojan URL and file extension matched those used in the phishing site https[:]//kakaocall[.]com, indicating a connection between the incidents.

Similar Fraudulent Projects

Here are other accounts and phishing URLs associated with this group:

- Web3 Game Malware Scam: @X Wion World

- URLs: wionworld[.]com

- Web3 Game Malware Scam: @X SilentMetaWorld

- URLs: playsilentdown[.]site, @link3to / free/jaunty-starks

- Meeting Software Malware Scam: @X / VDeckMeet

- URLs: vdeck[.]app

- Web3 Game Malware Scam: @X / _PartyRoyale

- URLs: partyroyale[.]games, @hubdotxyz/ party-royale

- Meeting Software Malware Scam: @X / VorionAI

- URLs: vorion[.]io, vortax[.]app, vortax[.]space

- Web3 Game Malware Scam: @X/ arcanixland

- URLs: arcanix[.]land, @Linktree_ / arcanixsocial

- Meeting Software Malware Scam: @X / GoheardApp

- URLs: goheard[.]app, goheard[.]io

- Web3 Game Malware Scam: @X / projectcalipso

- URLs: projectcalipso[.]com, @Linktree_ / projectcalipso

- Meeting Software Malware Scam: @X/ kendoteth (fake KakaoTalk)

- URLs: kakaocall[.]com

…and more.

Special thanks to @d0wnlore for the information provided (https://twitter.com/d0wnlore/status/1796538103525757083).

Trojan Analysis

Analysis on VirusTotal revealed that the trojan was detected by multiple antivirus engines.

https://www.virustotal.com/gui/file/f3c14c12cd45dbfb9dfb85deac517cca25c3118f2c7e3501be669fc06bb4402f/behavior

This trojan executes a series of scripts to gain system access, steal user credentials, and collect valuable system information. According to Triage’s malware analysis platform (https://tria.ge/240611-b9q8hszbqh/behavioral2), the trojan connects to malicious domains and IP addresses such as:

- showpiecekennelmating[.]com

- 45.132.105.157

Conclusion

The attackers’ ability to create fake scenarios that closely resemble real projects demonstrates their growing professionalism, expertise in social engineering, and organized, large-scale operations, which make it difficult for users to distinguish between genuine and fraudulent projects.

These case analyses only uncover a small part of the “dark forest” of phishing threats. The Slowmist Security Team advises users to remain vigilant, question suspicious links, install reputable antivirus software like Kaspersky or AVG, and immediately transfer funds and conduct a full antivirus scan if compromised. For more security knowledge, refer to the Slowmist Security Team’s “Blockchain Dark Forest Self-Guard Handbook”: https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet