StepDrainer: A New Threat Across Over 20 Blockchain Networks
A malicious tool named StepDrainer is wreaking havoc by draining crypto wallets across Ethereum, BNB Chain, Arbitrum, Polygon, and more than 17 other blockchains.
This malware acts as a malware-as-a-service, utilizing deceptive Web3 wallet pop-ups to trick users into authorizing transfers. Some of these phony screens mimic the appearance of legitimate Web3Modal wallet connections.
Once a victim links their wallet, StepDrainer identifies the most valuable tokens first and swiftly redirects them to wallets controlled by the cybercriminals, according to findings from LevelBlue.
Exploiting Smart Contract Functionality
The tool takes advantage of real smart contract functionalities like Seaport and Permit v2 to display deceptive wallet approval pop-ups that appear legitimate. However, the content within these pop-ups is fabricated.
In one incident, researchers documented victims receiving a spoofed notification claiming they were gaining “+500 USDT,” which made the approval seem secure.
StepDrainer injects its harmful code via modified scripts and operates from decentralized on-chain accounts. This method allows attackers to evade traditional security measures by ensuring harmful code isn’t residing in a singular location easily detected through scans.
This issue isn’t attributed to just one individual; researchers report the existence of an underground marketplace where pre-made drainer kits are sold, enabling many attackers to incorporate wallet-stealing capabilities into their existing scams.
EtherRAT: Another Malware Targeting Windows Users
In addition to StepDrainer, another piece of malware named EtherRAT poses a significant threat. It specifically targets Windows systems through a counterfeit version of the Tftpd64 network administration tool.
LevelBlue indicates that EtherRAT conceals Node.js within a false installer, ensuring persistence on the computer via modifications to the Windows registry while employing PowerShell for system checks.
This malware initially targeted Linux but is now extending its tactics of crypto theft to Windows environments.
EtherRAT runs stealthily in the background, examining antivirus software status, system configurations, domain information, and hardware specifics before proceeding with asset theft.
Recent Attacks Show Surge in Wallet Drainings
A recent report by Cryptopolitan reveals that over 500 Ethereum wallets have been compromised within just 24 hours. The attackers extracted upwards of $800K in cryptocurrencies and moved the assets through ThorChain.
On-chain analysis from Wazz indicated that many affected wallets had not seen activity for over seven years. All drained funds were funneled through a single address under the control of the perpetrator.
Experts in cybersecurity urge users connecting their wallets to unknown sites to verify domains carefully, scrutinize transaction details before confirming approvals, and revoke any unlimited token permissions they may have granted.