Author: 23pds & Thinking
In recent years, phishing incidents targeting blockchain engineers have occurred frequently on the LinkedIn platform. Yesterday, we noticed a post published by @_swader_ on X. This experience is actually a microcosm of phishing for blockchain engineer recruitment. Next, let's analyze this case.
(https://x.com/_swader_/status/1900116168544817589)
According to Bruno’s description, a person claiming to be the project party took the initiative to contact him and sent him a long project introduction:
The content mainly involves a blockchain Socifi Job postings for games and staking smart contract platforms.
The project is a staking smart contract platform based on the Socifi game. Core features include:
• Decentralized Exchange
• Games
• Multi-game community features
• NFTs and Tokens
• Live streaming services
• Looking for developers to join the project.
• Backend and smart contract developers have been recruited.
• Bruno Skvorc was recommended as project manager/front-end development team leader.
• The sender provided a Figma design link pointing to the MVP v2 version.
Background check
Online programming test
Technical interview
The recruiter was vague at first, then started calling Bruno, trying to convey a sense of urgency and importance, and immediately provided the repo link: https://bitbucket[.]org/ventionteam/gameplatform/src/main/.
User and time of code submission:
Next, let's analyze the malicious code.
Let's look at the code description:
So is this its real function?
First, take a look at package.json:
No malicious third-party modules were found, and it seems that the attack was not carried out through malicious NPM packages. Let's continue the analysis. When we see server.js, if we are not careful, we may end at line 47, after all, there seems to be nothing unusual at first glance.
However, pay close attention to line 46. What is that? And there is a small horizontal scroll bar, which means there is something on the right! Let's drag it over and take a look:
This is an encrypted malicious payload. What is its specific function? Let's take a look at the code:
(The above picture shows part of the code)
This is encrypted code, and there is more than one layer, base64 encryption.
After running npm start, it will run normally, so what is the use of this payload?
Let's run a test on our virtual machine (professional operation, please do not imitate).
We found that this attack method was obfuscated and decryption was difficult. We directly captured the C2 link through the Hook method:
Successfully captured the malicious IP:
216.173.115[.]200
95.179.135[.]133
Malicious request: http://216.173.115[.]200:1244/s/bc7302f71ff3. Interestingly, this malicious request bypassed the monitoring detection of little snitch.
The attacker will download and execute the two files, test.js and .npl.
The .npl Trojan is mainly used to maintain permissions:
This is the decoded content of .npl:
The above code is used to download a Python program named pay. The decoded content is as follows:
test.js is mainly used to steal browser data, such as plug-in wallet data, account passwords saved by the browser, etc.:
(partial fragment of test.js code)
Decryption (fragment):
Finally, according to our analysis, once the victim runs the code, the payload will do the following:
1. Collect system/environment data (home directory, platform, host name, username, etc.).
2. Make HTTP requests to remote servers to obtain additional data or payloads.
3. Write the obtained payloads to the local file system (usually in the home directory).
4. Execute these payloads using Node's child_process.exec.
5. Continue to connect back or "echo" system data to the C2 server.
6. Repeat this activity at regular intervals, keep the heartbeat packet, and try multiple times if the first attempt fails.
7. Quietly monitor user behavior and prepare for stealing encrypted assets, such as trying to read a specific directory /Library/Keychains/ (macOS key storage path) in the code, stealing SSH private keys, stealing browser plug-in data, and account passwords saved by the browser.
At the same time, @blackbigswan found the same user:
https://github[.]com/DavidDev0219
https://github[.]com/vention-dev
https://github[.]com/FortuneTechWorld
The author speculates that they are the same group of attackers and will not make any unnecessary analysis.
Attackers usually send malicious files through Telegram, Discord, and LinkedIn. For this type of phishing attack, we propose the following countermeasures from the perspective of users and enterprises:
Users
Be wary of suspicious recruitment information or part-time jobs that require downloading or running code from platforms such as GitHub. Verify the identity of the sender through the company's official website or official email address first, and avoid believing in misleading rhetoric such as "limited-time, high-paying tasks";
When handling external code, strictly review the project source and author background, refuse to run unverified high-risk projects, and it is recommended to execute suspicious code in a virtual machine or sandbox environment to isolate risks;
For Telegram and Discord,
Enable multi-factor authentication and regularly change high-strength passwords to avoid cross-platform reuse.
Enterprises
Regularly organize employees to participate in phishing attack simulation drills and train the ability to identify counterfeit domain names and abnormal requests;
Deploy email security gateways to intercept malicious attachments;
Monitor whether sensitive information in code repositories is leaked;
Establish an emergency response mechanism for phishing incidents, and reduce the risk of data leakage and asset loss through a multi-dimensional strategy that combines technical protection with personnel awareness.
The financial world faces potential upheaval as Saudi Arabia ends its 50-year petrodollar deal with the US. Instead, Saudi Arabia's central bank has joined BIS’s CBDC Project mBridge. As power becomes more equitably distributed globally, is the US facing an imminent economic downfall?
CatherineSEC Chair Gary Gensler announced that Ethereum ETFs should be approved by summer’s end but did not clarify its classification as a security or commodity. But this “good” news had little impact on the sluggish crypto market.
KikyoPixelverse, through its PixelTap game on Telegram, has rapidly gained 15 million users and secured $5.5 million in funding from major investors, aiming to revolutionize Web3 gaming with its tap-to-earn model and upcoming $PIXFI token launch.
WeatherlyThe fast-food industry adopts AI to reduce rising labour costs by replacing human workers. Despite being touted as the future, AI has caused many embarrassing errors. Is AI truly the solution for drive-thrus?
CatherineThe rise of AI tools has raised data privacy concerns due to the vast data needed for training models. Privasea addresses this with a framework prioritising data privacy and security, using FHE to perform computations directly on encrypted data.
KikyoBitcoin hits a monthly low of $64,000, losing over $100 billion in market cap, driven by ETF outflows and failed resistance attempts.
AlexZircuit, an Ethereum Layer 2 network, stands out with its AI-powered sequencer for enhanced transaction security and efficiency, attracting over $3.3 billion in staked assets ahead of its mainnet launch backed by Binance Labs.
JoyThe legitimacy of “Trump Coin” ($DJT), supposedly launched by Donald Trump and his son Barron, is under heavy scrutiny, with many suspecting it might be a scam due to various red flags and lack of official confirmation. Despite the hype, skepticism pervades the crypto community about the token’s authenticity and potential for market manipulation.
WeatherlyThe launch of Trump Coin ($DJT) has created buzz and suspicion due to its sudden emergence, lack of official confirmation from Trump, and concerns about market manipulation and legitimacy. Despite this, it has significantly impacted other political-themed tokens, raising questions about its true origins and intentions.
Anais特朗普币($DJT)的推出引发了关注和怀疑,因其突然出现、缺乏特朗普官方确认,以及市场操纵和合法性方面的担忧。尽管如此,它显著影响了其他政治主题代币,引发对其真实来源和意图的质疑。
Anais