Blog

Last week, we published an extensive report on MEWKit, a phishing ATS targeting visitors of MyEtherWallet (MEW) in elaborate ways—including resorting to a BGP hijack. But threats to users of MyEtherWallet aren’t a new thing by any means—phishing pages targeting the cryptocurrency platform, while not as sophisticated as MEWKit, have been going around for a very long time. In this blog, we’ll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

The Lure

Cybercriminals are always thinking of new methods by which to perform their attacks. In the case of phishing, they come up with innovative ways of convincing victims that their website or, in this case, mobile app, is legitimate. New attacks leveraging MyEtherWallet are using messages on social media and posts on forums to spread illegitimate clones of the MyEtherWallet site, which is not a new tactic in and of itself, but something that has never been seen targeting MyEtherWallet users. In this attack, an actor sets up a fake Telegram group, supposedly for MyEtherWallet and its support team, to spread false messages. In fact, searching for MyEtherWallet on Telegram would surface a group with over nine thousand subscribers:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-1 The actor-created Telegram group

The operator of this group forwarded the tweets sent from the official MyEtherWallet twitter account to the group, with one additional message—that there’s a new MyEtherWallet client for Android. The general messaging in the group looked like this:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-2 Deceptive message

The last message in the group is always the one below about a new two-factor-authentication security control, and that to use it, users need to install an Android app. The moderators of the group add a new tweet, remove the old message about the app, and then send it again to make sure it’s always the newest message in the group and thus ensuring that new subscribers will see it.

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-3 Message promoting the Android app

The URL preview in Telegram already showed it in the above screenshot, but the Bitly link forwarded victims to a MEGA download link. At the time of analyzing the latest link had received about 40 clicks:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-4 40 clicks

Hitting the MEGA link, we were presented a download of MyEtherWallet.apk:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-5 MyEtherWallet APK

Android apps for phishing

The application itself is just an empty shell created using GoNative.io, which is a service that generates Android apps that only serve pre-configured websites. This allows website owners to expose their web application as a native app rather than having visitors open up the website via a browser every time. We can see GoNative in the malicious MyEtherWall app based on the entry point name, the standard function name for the entry point of GoNative.io apps:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-6 GoNative.io “empty shell”

Additionally, we can find the GoNative.io configuration file in the APK at /assets/appConfig.json:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-7 GoNative.io configuration file

If you pay close attention, you can see yet another case of IDN phishing. If we use IDNA encoding on the domain, we get xn--myetherwalet-lcc.net, which, if we check on RiskIQ PassiveTotal, is hosted on 162.213.123.155. This IP shows one other IDN domain impersonating MEW: xn--myethrwalle-3bb60n.com:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-8 Phishing domains hosted on the same IP address

Simplistic Phishing

The phishing page served on the IDN phishing host, like any other phishing page, perfectly resembles a working version of MyEtherWallet:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-9 MyEtherWallet phishing page

The one interesting thing to note is these phishing domains were set up this month, but the version of MyEtherWallet they’re running is 3.10.3.8 which was released on the 21st of September 2017. Most likely, the actor behind this phishing page decided it wasn’t worth the effort to add their phishing scripts to a new version of MyEtherWallet.

The actor modified two files on this version of MyEtherWallet and added one additional script. We can spot the added script in our crawler’s analysis view:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-10 The added script

The cfg.js file contains, just like with MEWKit, a small set of configuration variables:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-11 cfg.js file

These variables are used in etherwallet-master.js, which has been modified by the actor to send out the authentication information used by the victim to access their wallet. The first interesting thing we find in etherwallet-master.js is a comment left by the attacker on line 1230:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-12 Attacker comment

Right after the actor’s comment, the original MyEtherWallet code uses the visitor-chosen, authentication method to decrypt the wallet. After the code that decrypts the wallet, the actor added some additional lines of script, which sends out the authentication credentials to a location set in the config file we showed above:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-13 MyEtherWallet code

After this, the MyEtherWallet phishing page will work like any other MEW instance where the victim can see his balance, start transactions etc. The attackers stole his authentication information which means they can now access this person’s wallet, we have no insight if the backend uses this information to automate transfers similar to MEWKit.

Conclusions

Criminals are slowly learning more and more tricks in order to increase profits and reach more victims and this Telegram-based Android app phishing campaign is just another example. While it wasn’t as effective as MEWKit—this phishing page did not incorporate an ATS—it is most likely still profitable for the actor behind it. Additionally, we advise everyone to avoid GoNative.io apps provided by side-channels because, as we’ve shown above, it’s a good way to run phishing campaigns through a victim’s Android device.

Indicators of Compromise (IOCs)

The following IOCs are also available in a PT project for automatic ingestion here: https://community.riskiq.com/projects/173d9eda-7b1d-f705-6797-8f4e9870c8fd

Domain IP Address
xn--myetherwalet-lcc.net 162.213.123.155
xn--myethrwalle-3bb60n.com 162.213.123.155

 

Filename SHA256
MyEtherWallet .apk 316e74094a69899cf1f50b0a02cd4dbf

 

Share:

Connect with us
Featured Post

Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims