BlockThreat - Week 34, 2019

Another fun week in blockchain security where a compromised RubyGem account resulted in a cryptojacking code getting added to a popular Ruby library. More details were revealed on the massive Beaxy exchange hack and PlusToken scam.

Hacks

• Malicious cryptojacking code found in 11 Ruby libraries - a compromised RubyGems maintainer account was used to upload multiple backdoored versions of the popular rest-client gem.
  
  Indicators:C2 Host:
  http://mironanoru.zzz.com[.]ua
  
  Pastebin payload:
  https://pastebin[.]com/raw/5iNdELNX
  
• Moscow's blockchain voting system cracked a month before election - a 15k USD bug bounty was claimed by a French security researcher who discovered a flaw in a smart contract based Moscow City Duma election system. The smart contract implemented a weak encryption scheme which could be cracked within 20 minutes on a standard personal computer.

Research

• Beaxy — Incompetent. In Denial. Insolvent? - a great investigative report into the XRP partial payment hack of Beaxy exchange including a complete incident timeline. The total loss listed in the article was 43 BTC and 111k XRP.
  
  Indicators:
  
  XRP Addresses:
  raz97dHvnyBcnYTbXGYxhV8bGyr1aPrE5w
rTNTzZ2ewR5kLRuCTerWyKAXgBrwRjfa1
rwDGX47HETkMb4LgnYt7qCTEGKjjQpFjrpBTC Addresses:
  13LZMvczfqwF8aG2WSsoREf5fyvnjmUg1y
16K7aBM9HpXcgmBUswf9ix37y5VaNQuvRx
• A Survey on Ethereum Systems Security: Vulnerabilities, Attacks and Defenses - a detailed threat model of Ethereum on application, data, consensus, network, and environment layers. The paper also includes examples of attacks and specific defense mechanisms used to protect smart contracts.
• Jump-Oriented Programming on EVM Opcode - an interesting blog post with links to the Defcon 27 Blockchain Village talk, source code and videos covering the use of JOP in smart contracts.
• 10 Million ETH: Big Mysteries Revealed About PlusToken - an investigation into the Ethereum addresses involved in the massive 10 million ETH scam. The report notes that 820k ETH are laying dormant while the remainder have been distributed among 248k Ethereum addresses with top 10 accounts holding a significant portion. Of the funds that moved to the exchanges, attackers have used Huobi for about half of total transactions with ZB[.]com, Upbit, Okex, and Gate[.]io trailing behind.
  
  Indicators:
  
  0xf4a2eff88a408ff4c4550148151c33c93442619e
0xef13a2c29f7a433aff08c60007bc276a64c7bdf5
0x32b0ccd7fd17f2a03fd0346378e750fe1c5e2194
0x4416a953b466695a65f5c0a1634982fe6c090fe9
0x6013f376191b0daa5910e69372316ab3b56d5d2e
0x7e1793bc8cc86fef0ba448076d7cb0c773fd682f
0x96afe718f1f424f0eb5ad017911fd9023918187e
0xe6515162d73013b66697851a118b67b6eb73803a
0xb100d11fd9cf3deb2995e10bdeea961ab81ade4e
0x3d2d6f622dd2a855c688b2674741fd84dcd301bb
0xd0ca6730bee060c11e3bf7759d6150b332a35080
0xdbc5acac14d5e317ca76dda5fedfbc36a26afb7e
0x98d2e9862e193d93657103362aaa6f721883b208
  
  https://github.com/elementus-io/plustoken/blob/master/plustoken-ethereum-addresses.csv
  
• Advances in Automated Smart Contract Vulnerability Detection - a great demonstration of current state of the art in smart contract security assessment using MythX.
• Bitcoin’s Security Budget is Adequate - an analysis of Bitcoin’s security from economic perspective.

Malware

• Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response - an in-depth report on a variant of a well-known cryptocurrency miner and a backdoor.
  
  Indicators:
  hxxp://js[.]mykings.top:280/v[.]sct
hxxp://js[.]mykings.top:280/helloworld[.]msi

That’s all for this week’s Blockchain Intelligence. Stay safe and don’t install miners at work, especially if you work at a Nuclear Reactor.