samczsun Profile picture
Jul 5 17 tweets 7 min read
1/ Today, someone tried to hack me with a crypto stealer, so I guess I've finally made it

Fortunately, they weren't successful, but all it would've taken was three clicks. Read on to learn about how the attack works, how to protect yourself, and some basic malware analysis🕵️
2/ The first step is to create an urgent and compelling hook. When placed under pressure, even trained security professionals might act instinctively instead of rationally. This DM does both.

If you clicked the link, then you're only two clicks away from being pwned
3/ Clicking the link automatically downloads this file to your computer. Once again, this is compelling - who is cryptogeng.eth, and what exactly does the statement claim?

If you open the download, then you're one click away from being pwned
4/ There are two files in the archive. If you have file extensions enabled, then you'll see the first as a URL. If you don't, then you'll see the second as a PDF. Both of these are malicious, and opening either of them would give the attacker full access to your tokens
5/ So how do you protect yourself? Well, the first step is to recognize when a message looks suspicious. In this case, the phrasing in the DM was very clunky, and it came from an untrusted source. However, you can't always rely on this, since it's trivial to hire a proofreader
6/ The next step is to take a moment to gather your thoughts if you're in an urgent situation. If you're communicating async, you have all the time in the world to respond. If you're on a phone call, ask them to wait. There's almost nothing so urgent that they can't wait 30s
7/ Don't let curiosity get the better of you. It might be tempting to snoop around, but threat actors know this and they'll exploit it. This is also why you should never plug in USBs that you find laying around, or open files named "2021-12-payroll.xlsx". Curiosity killed the cat
8/ Finally, if someone wants you to download and run a program, you should almost always double check if it's legitimate. Once you run a program, it has full access to your computer, so make sure you trust and verify who the program is coming from
9/ Now on to the basic malware analysis. How did I know that this is a crypto stealer without getting hacked? The first step was to pick a sandbox. I chose Docker because I figured some Windows malware probably wouldn't have a Linux container escape if I accidentally ran it
10/ It turns out the files are chonky
11/ I ran `strings` on the binary to see if anything interesting popped up and it crashed trying to render this seemingly infinite stream of Y
12/ At this point I figured that the binary itself was obfuscated and the Y garbage was embedded in the program, and I contemplated whether I actually cared enough to continue. However, @gf_256 suggested just checking if the files were right-padded
13/ So now I just had to trim off the trailing Y spam
14/ At this point, I had two binaries that I could've opened in IDA or Binary Ninja or any other reverse engineering tool. However, no point working harder if I could work smarter
15/ I dumped both files into @HybridAnalysis and let it run. Sure enough, both files came back malicious
16/ Specifically, both files try to:
a) steal your wallet data directly
b) steal your wallet data from browser extensions
c) steal your Discord session token
17/ So there you have it. All it takes is three clicks for a crypto stealer to get your wallets and session tokens, so make sure you watch for red flags in grammar, don't panic when facing an urgent situation, temper your curiosity, and never run software that you don't trust

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with samczsun

samczsun Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samczsun

Mar 23
Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen? Image
In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer. Image
Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account. Image
Read 7 tweets
Feb 3
How did the @wormholecrypto exploit work? I joined forces with @gf_256 and @ret2jazzy to reverse engineer the exploit, and now that it's been patched we can finally share it with you👇 Image
First, we had to determine where the exploit occurred. Ethereum, or Solana? A quick check of the encoded VM that the attacker submitted showed that it contained valid signatures from the guardians. This meant that either they got the private keys, or they exploited the bridge. Image
Given that the attackers had left over $600MM in tokens in the bridge, I figured that the latter was more likely. Sure enough, there was a corresponding transaction on Solana where the attacker bridged out the ETH.… Image
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!