Recently I've been reached out to two different parties on Twitter via DMs. Both advertising jobs, ranging from marketers, to ambassadors, to blockchain devs, all the way to Discord moderators. One of them started off direct, the other slow-dripped this information in over several days. The two accounts that reached out to me are @Maurice_eth1 and @CoinAstra.
Here are the start of the chats:
And:
And here are the full chat logs for anyone interested.
// @Maurice_eth1
Maurice: Gm dawg, whatchu do in crypto? Just investing/degening or?
Alp1n3: Howdy m8, I am just here for the security :D wbu?
Maurice: Oh that's cool. I'm head of devs at @PartyWorldOGIX. And worked in few projects before, you can see em in my bio. We're looking for some people who might be suitable for the marketing team, an ambassadorship, in-game chat moderator and blockchain devs, would you be interested by any chance?
Alp1n3: What kind of blockchain dev? Straight up solidity?
Maurice:
----------------------------------------
Job Description:
We are seeking a talented and experienced Blockchain Developer to join our team and contribute to the development of our upcoming shooter crypto game. As a Blockchain Developer, you will play a key role in designing, implementing, and maintaining blockchain-related features and functionality within the game.
Responsibilities:
1.Collaborate with the game development team to integrate blockchain technology into the game architecture.
http://2.Design and implement smart contracts to manage in-game assets, transactions, and player interactions on the blockchain.
3.Develop secure and efficient blockchain solutions to ensure scalability, reliability, and optimal performance.
4.Integrate cryptocurrency payment systems and NFT (non-fungible token) mechanics into the game economy.
5.Research and implement the latest advancements in blockchain technology to enhance the gaming experience.
6.Work closely with game designers and artists to ensure seamless integration of blockchain features with the game's visual and gameplay elements.
7.Participate in code reviews, testing, and debugging to maintain high-quality code standards.
We offer 1000$ per week part-time working and 2200$ per week full-time working
Can you handle that?
----------------------------------------
Alp1n3: Yeah, I can handle any portions of the codebase surrounding specifically Solidity & CI/CD. I’m not a front end dev though so anything involving HTML/CSS/JS is a no-go for me.
Maurice: Got it! May I ask you some questions to get to know you better? We look forward to long-term cooperation and offer significant opportunities for career growth within our company
Alp1n3: Yeah, go for it! I’m excited for the opportunity!
Maurice: Kindly tell me about yourself and previous work experience you have in Web3. How old are you and where are you from? If you have a resume ready, feel free to send it here. Also what are your strengths?
Alp1n3: I’m a dev & solidity smart contractor. I have experience w/ Go, Solidity, JS, and several other langs. In web3 I have a year of experience but in web2 I have several more. I also have a Bachelors and Masters. I don’t have a resume because every job I’ve gotten has been from word of mouth, including my current one. I am 25 and am from Colorado, USA. My strengths are my out of the box thinking and ability to learn anything; I’m not kidding, I can get any task done you need me to do (as long as it’s realistic haha).
Maurice: Oh so you got decent experience, in my opinion you'll be great fit for us, I think we will have a productive cooperation and you will be able to realize your ambitions in our company. If you have any more questions about our project/job, feel free to ask me anything!
Alp1n3: No questions here! Just excited to start!
Maurice: Wait I totally forgot to introduce our project sorry. Our project is a P2E game @PartyWorldOGIX. Partyverse stands as a themed dreamland paradise sculpted by OGXÌ…, where perpetual celebrations ensue, allowing players to enlist legendary figures across diverse industries, known as Hero Icons, to form expeditionary teams. Together, they venture forth, exploring and seeking the treasures and eternal assets collected by the OGXÌ…. These treasures and assets not only boast immense worth but are exclusively accessible to the most courageous and fortuitous treasure hunters. It's a desktop game, but we're developing mobile version some sneak peeks for ya. Mob version will be deployed in 3 weeks approx. https://linktr.ee/partyworldgames Let me know what do you think mateAnd here is the chat with @CoinAstra:
// @CoinAstra
CoinAstra: GM legend! I'm Lee from USA! Are you very active user in twitter and we wanna offer you a paid job. (Discord and Game Moderation / and support role) Our project is a game in the WEB3 world. We will soon launch mass advertising and in order to be ready to serve all players we need to assemble a friendly and strong team! We would like to invite you to work with us as a moderator or support. If you need more info. Let me know! Salary start from 900$ per week! Daily payments is possible. We conclude official contracts with you and send you the necessary data to the required email after a short and quick interview.
Alp1n3: Sure I’d be interested. Do you pay in USDC? I’d be down to interview for the moderator gig.
CoinAstra: Hi. Shortly im presenting NFT project "PartyWorld". (https://linktr.ee/partyworldgame) We are looking for Game Moderators or CM moderators. Offer is 900$ per week. 6h / day work. We need a moderator who will monitor social networks and answer questions from our new players about all the events of our project. You should also familiarize yourself with our game so that you can help our players at any time. Can you let us know what is your Name? Where are you from? Have you experience before in CM / Game moderator role?
Alp1n3: Totally! My Discord is alp1n3_eth. I’m from the US. I have previous experience managing discord servers for web2 gaming communities, and I’ve been involved in web3 for 2 years. Strictly web3 community involvement is limited to only 1 year, but I’m plugged into a ton of different communities there. I also have setup several different servers for different gaming communities in the past.
CoinAstra: Your task is to process and resolve tickets in our discord server from our new users. That is, you will have to answer all questions from our new players about our game and project and be aware of everything. Also moderate the chat and ban inappropriate users and delete inappropriate content. Could you join in our discord please and create a ticket? Tag me in Ticket: @Bro0 (That's my nickname in discord). Discord:
Alp1n3: Sounds good to me! ✅ ticket created
CoinAstra: answer in ticketFrom there we continued on Discord where I created a ticket:
Throughout these chats some accounts were referenced and links were dropped, here they are:
From the last requirement of that Discord message, you'll see that they require you to sign up for their video game (Party World / Party Royale). They've got a TON of instructions on how to sign up and install the game in their GitBook. Interestingly enough though, there's just a direct download page on their site.
Clicking either option downloads a .dmg file, which is only compatible with Mac. This might be a user-agent thing (as I'm using a Mac), so Windows users aren't in the clear yet. Throwing it into VirusTotal yields some results, but it isn't violently waving a red flag.
Before diving into any analysis, I want to see if there's any extra information surrounding this site, so I started with a simple Google search.
Looks like someone has beat me to it! It's always on Medium as well (sadly). Published by the Cyber Strategy Institute the article can be found here. They have a great overview of the tactics and techniques they observed. The ones I experienced are a little different and can be summarized like this:
Reach out via DMs, offering a job.
Potentially require you to go through Discord to discuss further.
Part of the onboarding process for the "job" will require you to download their game, which is malware.
Other similar scams may involve fake Discord or Calendly links, malicious Zoom downloads, etc. so keep an eye out, this isn't the only way these guys operate. This is what their site looks like:
So, back to VT. Normally I don't like including too much from VT in my analysis posts as it's helpful to walkthrough the sample yourself and fix any issues you run into, but VT is a GREAT tool for non-malware-analysts to use in order to quickly evaluate suspicious binaries and sites. It isn't the end-all-be-all source of truth, just because it may say 0/72 doesn't necessarily mean something is fully clean, but it is a phenomenal first stop for individuals trying to stay safe in this ever evolving world of malware and scams online.
Also, be careful with these files and don't run them on your machine unless you know what you're doing.
So let's now take a static look at it on my Mac. If you're following along, just make sure not to run anything as I will be doing ZERO dynamic analysis here, and we don't need you getting your computer infected. First things first, let's make sure the file is what it says it is:
It isn't very large either:
Attaching the ".dmg" file is okay, just be sure not to run anything contained inside of it. It can be attached using the following command:
hdiutil attach PartyLauncher.dmgAnd looks like this:
Navigating over the mounted volume, here's the binary contained inside it:
Now that the REAL executable can be accessed from the mounted .dmg file, I'll throw it into VirusTotal.
SHA-256 | 83b53fa861bb52ca6e27abe95937e639fbcd2b491a933473e33bc8741735f65b |
MD5 | 24f9a9ed5dcff37af8fb1637293a4b83 |
It lit up like a Christmas tree! 🎄 This is an important example for people using Macs; If it's a .dmg and you try to use VT to evaluate the .dmg, it probably isn't going to give you a whole lot of useful information. This is because the actual malware is contained inside that file. This is a much easier go/no-go decision to make for your everyday web3 netizen than the previous VT example. I've gone ahead and highlighted two of the main portions to look at to make a quick decision. My general rule of thumb is anything over 5 is almost definitely something to be at least extremely suspicious of, and anything over 8-10 is definitely malicious. Of course, this only applies when you are working directly with the affected file, and there are edge cases that are so well engineered or new that they end up not being detected at all. As previously stated, VT isn't the end-all-be-all final decision of maliciousness.
Some malware is so low-effort that you can literally read the strings output to get quick wins. This can include things like:
Command-and-control infrastructure
Websites / URLs
Commands
Base64-encoded blobs (that then have the above inside of them)
And tons more.
Let's run strings on this file by executing the following command:
strings PartyLauncherWhich produces this output:
sword." with tit\n\nPlease enter you
mcohilncbfahbmgd
klghhnkeealcohjjlcmncloheoekhbmlajopcimklncnhjedoafedfoadhdjjcipbopcbmipnjdcdffleajafomhmkipbjmfgpnihlnnodeiiaakjiidiaalihmmhddjfpibioaihcagphbionhogfjeacnfoofkkilnpioakcdndlodabogmiocnneedmmefiikommddbeccaoiaflkmfhebedbjioimopnmbcafieddcagjnlgamecbpmbajjfopfgelmcmbiajamekhpkpbbcccdmmclmomaabbefbmiijednibnejdfjmmkpcnlpnkbihfbeogaeaoehdjclckkglechooblbocpokimicclpaienphplpgoakhhjchkpocmplpaccanhmnlmfhbebgoclkghebffhilaheimglignddhnhobjmcibchnmglapnehcjmnengpnmccjmkndjhnagcfbpicmndjbecilbocjfkpnndplcbkakcplkjdhgnlgphgchebgoefhbohimaelbohpjbBinance Chain WaffnbelfdoeiohenkafbcbjpbpfadlkmhhnfanknocfeofbddhpglfhgfnhbgpjdecjelfplplebdjjenkncchdigobghenbbamkmjjmmflddogmhnlbmnnijcnlegkjjppdadbejkmjnefldfnjhmkhhmkbjkkabcphhlgmgameodnhknhnkbkgjikgcigadkpfopkelmapcoipecopjnifcecdedoceFreaksAxie Walleaiifbnbfobpmeekidmkamcknogkgcdfhcnmamaachppnkjgnjojhfeoedkpkglbfflpiciilemghbmfanknhiehlklippafahcflpincpppdclinookjlbkiijinhpmnmnfifefkajgofkcjhmeobnfnfcmdkdcmdkdedlpgdmmkkfjanlgbhdfgdhgbiamfcihmoadaighcejoplodccjjbdhfakaekbcopgchhojmggmffklnaejjgbibmhlepaeachknmefphepccfnnegphlobjdpkhepdadjkfkgcafgbceacmacodkjbdgmolebfnaelmomeimhlpmcgeeodpfagjceefiimloifkgjagghnncaholpfdialjgjfhoegjidjbpglichdcoefbglgofoippbgcjdlcobpjiigpikoobidnnbdplmphpflfnopcgpfmipidbgpenjbdaocneiiinmjbjblnieiiffboillknbhhhlbepdkbapadjejbalbakoplchlghlpfcbjknijpeeillppbibelpcjmhbdihlgmpcpglpngdoalb
lder to ((path t-e 'set safariFo
s string
h to home folder-e 'set homePath to
:group.com.appleoup ContainersGrlePath t
Path & "Library:-e 'set sourceFio ho
seFolderPath wit
ath to folder basourceFilePlder e" o
"NoteStore.sqlit-e 'duplicate fi
", "wallet", "ke "doccx", "rtf",t to {"txt", "do-e 'set extensionsLi
every file of de-e 'set desktopFiles
ath to home fold
Documents" of (pfile of folder "sFiles to every -e 'set document
aFile in (deskto-e 'repeat with o name extension-e 'set fileExtensio
-e 'if fileExtension is
to size of aFil-e 'set fileSize-e 'if fileSize ath with replacileGrabberFolderPile to folder fi-e 'duplicate aF
questerRsrc --keditto -c -k --se.zip --norsrc ---I % basename "%args System' | xm'" | grep -v '/SysteemKind != 'bundle' && kMDIttion-ple.applicatType == 'com.apmdfind "kMDItemConte
/password-entere | sudo -S spctl
25/get.php?apikehttp://85.28.47.
Starting assets --progress-bar s/Ledger Live.apmv "/Application/Ledger Live.app
Finder" to move
ll application "osascript -e 'te/app.asar" to POes/" with replacContents/Resourck" to POSIX file/Electron Framework.fram
rks/" with replaContents/Framewo/Info.plist" to Contents/" with Contents/CodeResContents/_CodeSiContents/MacOS/Lcodesign --remov
xattr -d com.app/Ledger Live" toContents/MacOS/"" "/Applicationssplay dialog "Soosascript -e 'di
_NSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE
NSt3__113basic_filebufIcNS_11char_traitsIcEEEE
NSt3__114basic_ifstreamIcNS_11char_traitsIcEEEE
/dev/urandom
basic_string
vector
thread constructor failed
\n\nPlease enter-e 'set safariFo-e 'set homePath-e 'set sourceFi-e 'duplicate fi-e 'set extensio-e 'set desktopF-e 'set document-e 'repeat with -e 'set fileExte-e 'if fileExten-e 'set fileSize-e 'duplicate aFditto -c -k --semdfind "kMDItemC | sudo -S spctlhttp://85.28.47.mv "/Applicationosascript -e 'teContents/Resourc/Electron FramewContents/Framewoosascript -e 'di
mcohilncklghhnkelcmnclohajopcimkoafedfoabopcbmipeajafomhgpnihlnnjiidiaalfpibioaionhogfjekilnpioaabogmiocfiikommdaflkmfhemopnmbcajnlgamecopfgelmckhpkpbbcomaabbefibnejdfjnkbihfbedjclckkgbocpokimnphplpgopocmplpamfhbebgofhilaheihnhobjmcapnehcjmcjmkndjhcmndjbecpnndplcbdhgnlgphfhbohimaffnbelfdafbcbjpbhnfanknohpglfhgfcjelfplpkncchdigamkmjjmmnlbmnnijppdadbejfnjhmkhhcphhlgmgnhnkbkgjkpfopkelcopjnifcaiifbnbfdmkamckncnmamaacjojhfeoeflpiciilnknhiehlhcflpincookjlbkimnfifefkhmeobnfndkdedlpgnlgbhdfgcihmoadalodccjjbbcopgchhklnaejjgaeachknmfnnegphlpdadjkfkacmacodkbfnaelmocgeeodpfimloifkgaholpfdiegjidjbpefbglgofdlcobpjiidnnbdplopcgpfmijbdaocneblnieiifbhhhlbepejbalbaklpfcbjknppbibelplgmpcpglners:grop Contai
rary:GroaseFoldefolder bePath totore.sqlte" of fallet", doc", "w "rtf", t to {"t of (patcuments"older "Ds to eveo name esion is -e 'if folderPatGrabberFlder filquesterR.zip --nm' | xar '/Syste| grep -d != 'SyDItemKinle' && kpplicati.apple.ae == 'co25/get.pStarting/app.asaork.fram/Info.plContentscodesignxattr -d/Ledger
NSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE
NSt3__113basic_filebufIcNS_11char_traitsIcEEEE
NSt3__114basic_ifstreamIcNS_11char_traitsIcEEEE
/dev/urandom
basic_string
vector
thread constructor failedSo at first glance there does seem to be some encodings, and some strings are a little mixed up, but a lot of this can be easily pieced back together. The first easy win can be seen here:
Putting it back together again equals; "http[://]85[.]28.47[.]25/get.php". Navigating to this site yields some useful information as well.
IPs (Malicious) |
85.28.47.25 |
And
Since we've got an IP/URL that most likely will require a specific key in the URL or in the body of a request in order to interact with it. You can always attempt to dig deeper and find the key, but for now let's take a look at the IP itself using Shodan. The open ports are listed as: 22, 80, 8080. A default NGINX response can be seen over port 80, which is the HTTP address we navigated to in the first screenshot.
Performing a WHOIS lookup on it reveals it to be hosted by a popular "bulletproof" domain host called "1337 HOSTING LTD" that is well-known to be used by individuals engaged in activities like piracy/torrenting.
Looking further through the strings output you can assume some potential functionality of the malware.
Even if you don't know what these things are, or what they are used for, Google is your friend in these instances:
It looks like this malware then might have the functionality to grab the contents of your Apple Notes application and then it will most likely send those contents to the C2 (command-and-control) server. Checking further, there are several references to "Ledger Live", which is the MacOS desktop app for interacting with a Ledger device.
Does this confirm the functionality? Not fully, but it does suggest that the malware may either:
Attempt to steal funds from the Ledger Live app / interact with it in some way or
Replace the Ledger Live app with a malicious version. Who knows what this could do.
Both are possibilities, and personally I'm leaning towards #1, but without digging further it can't be confirmed for sure. Ledger's should always be safe up until the point you have it plugged in and confirm a transaction using the device, but there are different tactics that could be used to potentially replace addresses in the computer's clipboard, attempt to push through malicious transactions, and much more.
This is why it is important to be able to understand the underlying process and be able to manipulate malware safely in your own environment as an analyst. Looking at the VT "Behavior" page does not successfully identify the C2 server or the ability to interact with the Ledger Live app. Even though I've only been doing static analysis up to this point, I've been able to identify more than the dynamic analysis engine used by VT for MacOS apps (OS X Sandbox and Zenbox macOS).
At this point the analysis can be pushed further for more information, but a large amount of great information has been observed, and I don't have my dynamic analysis environment setup yet for MacOS, so I'd rather get this info out (A.K.A. I'm lazy pt. 2). I hope this information is able to help someone, let me know if it does!
