To verify the site is hosting malicious software, the team visited the page ‘https://moongate[dot]cc/token2049-yachtparty/’ and looked at the client-side Javascript for any signs of malicious functionality:

The figure above shows the first indicators of malicious functionality. Comments in the Javascript code that are describing ‘Draining’ events such as ‘Draining started’ and ‘Draining Finished’.

Now that we have confirmed the site is very likely hosting wallet draining software we have to submit a takedown request through the domain registrar. To find out which registrar we needed to contact, we looked at the malicious domain’s WhoIs records and found the domain registrar to be ‘PublicDomainRegistry[dot]com’. Visiting their website, we found they had a ‘report abuse’ link at the bottom of the landing page which led to a form for reporting domains hosting malware - ‘https://publicdomainregistry.com/malware/’.

Once the form was submitted we received a confirmation email shortly after with an assigned case number.

As a next step, Halborn submitted a report directly to Twitter (X) flagging the Moongate impersonation account. It was also interesting to note that the impersonation account had a link to the real Moongate twitter account with the message ‘Migrated to @moongate’ (the real Moongate twitter account).

Another point to keep in mind is to look for these indicators such as links to legitimate accounts or domain names that don’t match the current page you are on. For example, let’s review the Real Moongate Twitter profile: 

And compare it to the impersonation account:

You can see the message ‘Migrated to @moongate,’ which links to the real Moongate Twitter (X) account. You can see it has very few followers, and the account joined Twitter in March 2023. Also, the background image behind the profile image is blank, and the colors for the profile image are swapped. These are all indicators that this account was an impersonation account.

At this point, multiple reports were submitted to Twitter (X), and, the same day, we observed the account being restricted: 

On April 20, 2024, we received another email stating that the domain registrar took the malicious domain down. We confirmed this by going to the website and getting an error. 

At this point, we have requested that the domain registrar take down the malicious domain, and we reported the impersonator’s Twitter (X) account. We decided to continue our investigation into the wallet draining malware to gather as much relevant information as possible. 

One of the first things we did was download the malicious Javascript files being hosted on the site and submitted them to VirusTotal to perform their analysis. We found that only 1 out of 57 products detected this file as malicious. It is worth noting that the Javascript used in this malware was heavily obfuscated, and the detection mechanism used to determine the file was malicious was the fact that it used very long strings, which were assumed to be obfuscated code. 

From our investigation, we have determined there are multiple stages to this malware. The first deobfuscates the drainer code to perform tasks like having the user connect their wallet, making determinations on what kind of assets are in the target’s wallet, and deciding which assets the malware wants to drain. Here is an example of the ‘Drainer’ class where you can see the heavy obfuscation utilized by this malware:

This code also contained contract addresses and the types of digital assets it was capable of draining. Here, you can see an example of Avalanche rpcURLs and contract address.

After analyzing the Javascript code, we looked at the malicious domain and found that they were hosting multiple similar URLs. All seemingly hosted this wallet drainer software:

At this point, we confirmed there are at least twenty URLs with different landing pages all hosting the same malware. We were unsure how long the domain registrar would take to take down the domain, so we also submitted an abuse report to Cloudflare as this attacker was utilizing Cloudflare services.

Lessons Learned

Raise awareness around phishing attacks and how to identify phishing emails and messages. 

Domain takedowns can take time! In this case, two days.

Look at the Javascript code before interacting with new sites or dApps. Attackers are not perfect, and they are not all great coders. In this example, we saw that the attacker left plaintext Drainer Events in the un-obfuscated Javascript code comments. This alone could prevent a user from connecting their wallet. No special tools are required; just open the Browser Developer tools and look at all the Javascript source files or even search for keywords like ‘drain’. Also, if you find long strings of Base64 encoding, you can copy those strings and try to decode them. Most likely they will not be readable or in a plaintext format. These are indicators the Javascript is utilizing obfuscation techniques to make it difficult to determine what it is doing. These indicators can all be used to make safer decisions on what dApps or smart contracts to interact with.

Don’t rely only on spam filters or anti-virus tools alone to catch everything. Those defensive tools are great for keeping your systems safe from known malware, but it is easy, using obfuscation and other techniques, to ensure simple signatures are incapable of identifying sophisticated malware. Be diligent in validating usernames — such as in the example shown with the impersonation Twitter (X) profile — as well as domain names, as well demonstrated in this case. 

If you are interacting with a smart contract or dApp for the first time, ensure you do not have a significant amount of assets in your hot wallet. Use a strategy such as keeping at least 90% of your funds offline in cold storage, and only keep what you need to either test or transact in your hot wallet. This kind of asset management strategy could have prevented a target from losing all of their funds. 

To learn more about protecting your project through a WebApp pentest, get in touch with Halborn.