November 4, 2021
Editor's note: @qtmoses, an external specialist who consults on crypto investigations, contributed to this report.
On an ongoing basis, TRM Labs tracks threat actors involved in phishing, contract exploits and financially targeted abuse of cryptocurrency. Recently, an active malware campaign that targets decentralized finance (DeFi) through a malicious desktop app aimed an attack at Mango Markets users.
Mango Markets is a decentralized autonomous organization that offers Spot Margin, Perpetual Futures, and Borrow and Lending via mango[.]markets.
On October 6, 2021, direct messages were sent to members of the official Mango Discord group prompting them to navigate to https://mangomarkets[.]net, claiming a Mango desktop app had gone live. Mango members who received this direct message likely did not have their Discord privacy settings configured to prevent direct messages from server members.
This might sound like the start of a familiar tale for crypto users growing accustomed to reading about phishing scams associated with NFT drops or DeFi app website scams, but fortunately, the Mango team was quick to act and notified their Twitter followers that the Mango desktop app was a scam. As a result, it seems that major damage was avoided as no one to date claims to have fallen victim to the desktop app scam.
Even so, there's plenty to learn from this case:
1. @qtmoses lays out best practices here for securing your Discord account to fight back against spammers
2. Unpacking the malware of the desktop app — which we do below — will hopefully keep crypto users mindful of the risks and red flags for this type of scam in the future
Anatomy of a fake desktop app
In this case, the desktop scam app is a malicious program identified as a remote access trojan (RAT). RATs enable hackers to steal information from victims computers. In the case of the fake Mango desktop app, the RAT could lead to the theft of sensitive information associated with cryptocurrency accounts of anyone who may have downloaded the fake app.
When potential victims visit the fake Mango site they can immediately tell something is different. Instead of finding the usual “Trade” button, the user finds a “Download App" button on the right hand side of the website. The fake Mango website claims a new App version was released that is "lightning fast, near zero fees, and permissionless." Everything else associated with the fake Mango website is a carbon copy of the original Mango website.
To date, Mango has only released their web app, and community made desktop apps have yet to launch. Given the sudden nature of this previously unannounced change, most users were careful to report this immediately and the report channel in Discord soon became a graveyard with banned spammer accounts.
Those brave enough to download the fake Mango app were presented with a 118MB executable. The scale of the downloaded size could have worked in favor of the scammers, as this seems reasonable for todays app sizes. What they might have missed, however, is that the DeFi user base is unlikely to be biased towards Windows OS like the global OS market.
At this moment it could be inferred that this was a malicious executable, and to squash any doubt, a quick test using VirusTotal returned 11 (14 as of writing) out of 66 products flagging this executable as malicious.
At execution of the fake Mango desktop app, it was expected that either a legitimate Mango UI with a malicious wallet was stealing code or some plain old trojan. We then saw activity spike up and Wireshark was filled with packets.
When running Windows’ Resource Manager, there was a new user space process named “hdscanner.exe” with an active network connection. Upon inspecting the file, some of the metadata was matching that of the initial file – which was now obvious as just an installer/unpacker.
The next step was to filter the packets in Wireshark to those of the suspicious process. At first, it could be seen the malicious application set up a transport layer security (TLS) connection and everything afterwards was encrypted. In what was potentially a lucky day to analyze the malicious file before a connection was set, the server sent what seemed like a handshake and identified itself in plaintext as being the command and control center for BitRAT.
The BitRAT malware can be purchased from various cybercriminal forums or direct from the alleged creator's social media page. Once the BitRAT malware goes live on a user machine, it has the ability to function as a keylogger that can steal passwords while remotely accessing your machine.
If you downloaded the malicious file, it is critical that you take steps to remove the app from your machine and secure your crypto accounts immediately.
TRM Labs continues to monitor threats targeting the cryptocurrency industry and will provide updates as they become available.
About TRM Labs
TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses and public agencies detect, investigate and manage the risk of crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, VASP due diligence and investigative tools to trace the flow of funds. TRM is the only tool with cross-chain analytics, providing coverage across 23 blockchains and more than 900,000 assets.
TRM is based in San Francisco, CA, and is hiring across engineering, product, sales, investigations, and data science. To learn more, visit www.trmlabs.com. To report a lead to Global Investigations, email us firstname.lastname@example.org.
Need support on an investigation?
Fill out the form to speak with our team about investigative professional services.