Blogpost: Ethereum Threat Actors Part 3 — Phishings/Scams using Smart Contracts

Ethereum smart contract  malware  threat actor phishing patrick ventuzelo blogpost quoscient analysis scams

2019/04/03 @ QuoScient Medium

In part three of our mini-series (see part #1 & part #2) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a phishing tactic that used a smart contract address. Interestingly, this smart contract is not unique and the exact same closed-source bytecode is used in more than 130 thousand smart contracts.

  1. Phishing on Forums/Telegram.
  2. Quick analysis of the Smart contract Bytecode
  3. Who is behind 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0?
  4. Similar Luno user wallets Used for Phishing
  5. Conclusion
  6. Indicator of Compromise

link / pdf

Blogpost: Ethereum Threat Actors Part 2 — ClipboardWalletHijacker Malware Still Active.

Ethereum clipboard hijacker malware patrick ventuzelo blogpost quoscient analysis qihoo360 Bitcoin

2019/02/18 @ QuoScient Medium

In part two of our mini-series (see part #1) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a clipboard hijacker malware targeting Bitcoin and Ethereum users. This malware, renamed ClipboardWalletHijacker by Qihoo360 Security Center, was first discovered in June 2018, after having infected 300 thousand computers within a week.

  1. Quick ClipboardWalletHijacker Analysis
  2. Hijacked Ethereum Transactions
  3. Cryptocurrency Exchange Used by the Actor
  4. Packers & Variants
  5. Conclusion
  6. Indicator of Compromise

link / pdf

Blogpost: Ethereum Threat Actors Part 1 — DotNet Downloader using Ethereum Transactions for C&C updates.

Ethereum threat actor botnet transaction tracking patrick ventuzelo QuoScient C&C updates blockchain blogpost dotnet ilspy etherscan bigquery

2019/02/04 @ QuoScient Medium

As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions. We analyzed the sample provided by a German Security Researcher, Karsten Hahn @struppigel in this tweet.

  1. Downloader analysis
  2. Main Function
  3. GetLastTransactionHashFromAddress function
  4. GetAdditionalDataFromTransaction function
  5. Transaction analysis
  6. C&C Update Pricing
  7. Blockcypher service
  8. Future of Ethereum botnet
  9. Conclusion
  10. Indicators of Compromise

link / pdf