The Feed 2025-01-13

  • Red Delta’s Evolving PlugX Tactics: RedDelta, a Chinese state-sponsored threat activity group, has targeted various countries in Asia using PlugX malware and has adapted its infection chain several times since 2023.

Original link: https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0109.pdf

  • FunkSec – Alleged Top Ransomware Group Powered by AI - Check Point Research” FunkSec is a new ransomware group that uses AI in the development of their tools and whose motivations appear to be a mix of hacktivism and cybercrime.

Original link: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/

  • PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner” A vulnerability in PHP servers is being exploited to inject cryptocurrency miners.

Original link: https://gbhackers.com/php-vulnerability-packetcrypt-mining/

  • Transaction Simulation Spoofing: A New Threat in Web3: A new phishing technique in Web3 involves attackers strategically modifying smart contract states, exploiting transaction simulation features to drain victims’ wallets.

Original link: https://drops.scamsniffer.io/transaction-simulation-spoofing-a-new-threat-in-web3/

Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain

Summary

This report details the activity of RedDelta, a Chinese state-sponsored threat activity group. This report analyzes the group’s activity between July 2023 and December 2024. This group uses spearphishing emails to deliver malware and is known for targeting government and diplomatic organizations with a particular focus on Southeast Asia, Mongolia, and Europe. From July 2023 to December 2024, RedDelta targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia using a customized version of the PlugX backdoor. The threat actors were observed to be leveraging Cloudflare CDN in order to proxy Command and Control traffic to threat actor-controlled C2 servers. RedDelta targeted these entities with lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou (郭台銘), the Vietnamese National Holiday, flood protection in Mongolia, and meeting invitations, including an Association of Southeast Asian Nations ASEAN meeting. The group has evolved their infection chain several times in this period. They have been observed to use LNK files, MSC files, and HTML files to deliver their malware.

Technical Details

  • Since July 2023, RedDelta targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with its customized backdoor PlugX.
  • RedDelta has evolved its infection chain multiple times since mid-2023.
  • The group has used LNK files and MSC files as the first-stage components.
  • In both cases, a PowerShell command downloaded and installed a remotely hosted Windows Installer (MSI) file. This MSI file dropped a malicious dynamic-link library (DLL) loader written in the Nim programming language, a legitimate binary vulnerable to search order hijacking, and an encrypted payload that ultimately loads PlugX.
  • The group has consistently registered new domains that use the Cloudflare content delivery network CDN) to proxy C2 traffic to the groupʼs backend threat actor-controlled virtual private servers VPSs).
  • Insikt Group identified IP addresses in Henan province used by RedDelta to administer its PlugX C2 servers, pointing to a potential threat actor operating location.

Infection Chains

New Infection Chain Leveraging Windows Shortcut (LNK) and Windows Installer (MSI) Files Used to Continue Targeting Mongolia (July 2023)
  • Windows LNK file is delivered, likely via spearphishing.
  • LNK file runs a PowerShell command.
  • PowerShell command downloads and installs a remotely hosted MSI file.
  • The MSI file drops three files:
    • A legitimate executable.
    • A malicious loader DLL written in the Nim programming language.
    • An encrypted payload.
  • The legitimate executable uses DLL search order hijacking to execute the malicious loader DLL.
  • The malicious loader DLL decrypts the payload, which loads PlugX into memory.
  • PlugX beacons to C2.
Taiwan Targeting (October 2023)
  • Taiwan-themed malware samples used decoy documents.
  • Identical infection chain as July 2023 Mongolia targeting.
Myanmar Targeting and Use of Microsoft Management Console MSC Files May 2024)
  • Initial infection chain adapted to use MSC files.
  • MSC files run a PowerShell command.
  • PowerShell command downloads and installs a remotely hosted MSI file.
  • Cloudflare’s geofencing capabilities observed.
  • Infection chain closely resembles previous activity.
Mongolian Ministry of Defense, Myanmar, and Vietnam Targeting (August 2024)
  • Renewed activity compromises entities in Mongolia, Myanmar, and Vietnam.
  • Limited targeting in Bahrain and Ethiopia.
  • Spearphishing against the Vietnamese Ministry of Public Security, but no compromise.
  • Windows Installer files dropped a legitimate Logitech executable vulnerable to DLL search order hijacking, a malicious loader DLL written in NIM, and an encrypted PlugX payload.
  • MSC files observed using GrimResource technique to execute code.
Use of HTML Files and Wider Targeting (September–November 2024)
  • RedDelta observed using HTML files for malware delivery.
  • HTML files distribute malicious MSC files targeting Windows OS users.
  • Infection chain remains consistent with past activity.
  • New legitimate imecmnt.exe executable observed.
  • DLL sideloading of imecmnt.exe observed for ShadowPad delivery in Southeast Asia.

Observed Tools and Techniques

  • Spearphishing
  • Windows Shortcut (LNK) files
  • Microsoft Management Console Snap-In Control (MSC) files
  • HTML files
  • PowerShell
  • Windows Installer (MSI) files
  • DLL search order hijacking
  • Cloudflare CDN
  • Geofencing
  • GrimResource technique
  • DLL Side-loading
  • PlugX backdoor
  • ShadowPad
  • Nim programming language

Recommendations

  • Deploy the YARA and Sigma rules written by Insikt Group, detailed in Appendix C, to detect RedDelta MSI, DLL, and LNK files.
  • Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking illicit connection attempts from — the external IP addresses and domains listed in Appendix A.
  • Keep all software and applications up to date, particularly operating systems, antivirus software, and core system utilities.
  • Filter email correspondence and scrutinize attachments for malware.
  • Make regular backups of your system and store the backups offline, preferably offsite so data cannot be accessed via the network.
  • Adhere to strict compartmentalization of company-sensitive data. In particular, look at which data anyone with access to an employee account or device would have access to (for example, through device or account takeover via phishing).
  • Strongly consider instituting role-based access, limiting company-wide data access, and restricting access to sensitive data.
  • Employ host-based controls; one of the best defenses and warning signals to thwart attacks is to conduct client-based host logging and intrusion detection capabilities.
  • Disable basic and legacy authentication where possible, as these can allow attackers to bypass in-place security measures.
  • Implement basic incident response and detection deployments and controls, such as network IDS, NetFlow collection, host logging, and web proxy, alongside manual monitoring of detection sources.
  • Practice network segmentation and ensure special protections exist for sensitive information, such as multifactor authentication and extremely restricted access and storage on systems only accessible via an internal network.
  • Recorded Future Third-Party Intelligence module users can monitor real-time output to identify suspected targeted intrusion activity involving key vendors and partners within physical, network, and software supply chains.
  • By monitoring Malicious Traffic Analysis MTA), Recorded Future customers can alert on and proactively monitor infrastructure that may be involved in notable communication to known RedDelta command-and-control C2 IP addresses.
  • Install the Recorded Future Threat Intelligence Browser Extension to get instant access to threat intelligence from any web-based resource. This extension enables users to process alerts faster within their security information and event management (SIEM) and prioritize vulnerabilities for patching.
  • Review public guidance on mitigating common TTPs used by Chinese state-sponsored groups (1, 2, 3, 4).
  • Review Insikt Groupʼs report “Charting Chinaʼs Climb as a Leading Global Cyber Powerˮ for trends and recommendations for mitigating Chinese advanced persistent threat APT activity more broadly.

Hunting Methods

Sigma rule to detect RedDelta DLL hijacking attempts to load PlugX:
title: Potential RedDelta APT DLL Hijacking Attempt
id: a8535c40-4e04-4ff6-baea-479ea6b0adea
status: stable
description: Detects DLL potential hijacking of LDeviceDetectionHelper.exe in a subdirectory of AppData\Local. Used by RedDelta APT to load PlugX.
author: MGUT, Insikt Group, Recorded Future
date: 2024/09/06
references:
- https://tria.ge/240803-bmgessseme/behavioral1/analog?q=lDevice&image=C%3A%5CUsers%5CAdmin%5CAppData%5CLocal%5CaPGfRwbjwQD%5CLDeviceDetectionHelper.exe
tags:
- attack.t1574.001 # Hijack Execution Flow: DLL Search Order Hijacking
logsource:
    product: windows
    category: process_creation
detection:
    image_start:
        Image|startswith:
        - 'C:\Users\'
    image_end:
        Image|endswith:
        - '\AppData\Local\*\LDeviceDetectionHelper.exe'
condition: image_start and image_end
level: critical
falsepositives:
- Unlikely
YARA rule to detect RedDelta loaders written in NIM:
import "pe"
rule APT_CN_RedDelta_Nim_Loader_DEC23 {
    meta:
        author = "JGrosfelt, Insikt Group, Recorded Future"
        date = "2023-12-21"
        description = "Detects RedDelta RC4 Implementation in Nim Loaders"
        version = "1.0"
        RF_THREATACTOR = "RedDelta"
        RF_THREATACTOR_ID = "en_T6N"
    strings:
        /* RedDelta Custom RC4 Implementation (from RC4)
        8B 8D E0 FB FF FF mov ecx, [ebp+var_420]
        89 F2                mov edx, esi
        32 54 3B 08          xor dl, [ebx+edi+8]
        0F BE D2            movsx edx, dl
        E8 E7 C5 FF FF      call sub_6DB03E5C
        89 85 E0 FB FF FF mov [ebp+var_420], eax
        89 F8                mov eax, edi
        83 C0 01          add eax, 1
        89 C7                mov edi, eax
        0F 81 8E FE FF FF jno loc_6DB07716 */
        $s1 = { 8B 8D E0 FB FF FF 89 F2 32 54 3B 08 0F BE D2 E8 ?? ?? ?? ?? 89 85 E0 FB FF FF 89 F8 83 C0 01 89 C7 0F }
    condition:
        (uint16 (0) == 0x5a4d) and $s1
}

rule APT_CN_RedDelta_Nim_Loader_Aug24 {
    meta:
        author = "MGUT, Insikt Group, Recorded Future"
        date = "2024-09-06"
        description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"
        version = "1.0"
        hash = "49c32f39d420b836a2850401c134fece4946f440c535d4813362948c2de3996f"
        hash = "c5aa22163eb302ef72c553015ae78f1efe79e0167acad10047b0b25844087205"
        RF_THREATACTOR = "RedDelta"
        RF_THREATACTOR_ID = "en_T6N"
    strings:
        $func = "winimConverterVarObjectToPtrObject"
    condition:
        uint16be(0) == 0x4d5a and filesize < 500KB and pe.number_of_exports == 2 and pe.exports("HidD_GetHidGuid") and pe.exports("NimMain") and $func
}
YARA rule to detect MSI executables used to load PlugX:
rule APT_CN_RedDelta_MSI_Aug24 {
    meta:
        author = "MGUT, Insikt Group, Recorded Future"
        date = "2024-09-06"
        description = "Detects RedDelta MSI files used to load PlugX via DLL hijacking"
        version = "1.0"
        hash = "30fbf917d0a510b8dac3bacb0f4948f9d55bbfb0fa960b07f0af20ba4f18fc19"
        hash = "2d884fd8cfa585adec7407059064672d06a6f4bdc28cf4893c01262ef15ddb99"
        RF_THREATACTOR = "RedDelta"
        RF_THREATACTOR_ID = "en_T6N"
    strings:
        $s1 = "TARGETDIR[%LOCALAPPDATA]"
        $s2 = "\\LDeviceDetectionHelper.exe"
        $s3 = "hid.dll"
    condition:
        uint32be(0) == 0xd0cf11e0 and all of them
}
YARA rule to detect LNK files used to load PlugX (applies to infection chain from 2023):
rule APT_CN_RedDelta_LNK_Oct23 {
    meta:
        author = "Mkelly, Insikt Group, Recorded Future"
        date = "2023-10-13"
        description = "Detects RedDelta LNK files used to retrieve and install .msi files via Powershell"
        version = "1.0"
        hash = "a0a3eeb6973f12fe61e6e90fe5fe8e406a8e00b31b1511a0dfe9a88109d0d129"
        hash = "74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1"
        RF_THREATACTOR = "RedDelta"
        RF_THREATACTOR_ID = "en_T6N"
    strings:
        $s1 = "install.InstallProduct"
        wide $s2 = "install=New-Object"
        wide $s3 = "install.uilevel = 2"
        wide $s4 = "REMOVE=ALL"
    condition:
        uint16(0) == 0x004c and filesize < 5MB and 3 of them
}

IOC

Domains

abecopiers[.]com
alicevivianny[.]com
aljazddra[.]com
alphadawgrecords[.]com
alvinclayman[.]com
antioxidantsnews[.]com
armzrace[.]com
artbykathrynmorin[.]com
atasensors[.]com
bkller[.]com
bonuscuk[.]com
bramjtop[.]com
buyinginfo[.]org
calgarycarfinancing[.]com
comparetextbook[.]com
conflictaslesson[.]com
councilofwizards[.]com
crappienews[.]com
createcopilot[.]com
cuanhuaanbinh[.]com
dmfarmnews[.]com
electrictulsa[.]com
elevateecom[.]com
epsross[.]com
erpdown[.]com
estmongolia[.]com
financialextremed[.]com
finasterideanswers[.]com
flaworkcomp[.]com
flfprlkgpppg[.]shop
getfiledown[.]com
getupdates[.]net
glassdoog[.]org
globaleyenews[.]com
goclamdep[.]net
goodrapp[.]com
gulfesolutions[.]com
hajjnewsbd[.]com
hisnhershealthynhappy[.]com
homeimageidea[.]com
howtotopics[.]com
importsmall[.]com
indiinfo[.]com
infotechtelecom[.]com
inhller[.]com
instalaymantiene[.]com
iplanforamerica[.]com
irprofiles[.]com
itduniversity[.]com
ivibers[.]com
jorzineonline[.]com
kelownahomerenovations[.]com
kentscaffolders[.]com
kerrvillehomeschoolers[.]com
kxmmcdmnb[.]online
lebohdc[.]com
linkonmarketing[.]com
loginge[.]com
lokjopppkuimlpo[.]shop
londonisthereason[.]com
looksnews[.]com
maineasce[.]com
meetviberapi[.]com
mexicoglobaluniversity[.]com
mobilefiledownload[.]com
mojhaloton[.]com
mongolianshipregistrar[.]com
mrytlebeachinfo[.]com
myynzl[.]com
newslandtoday[.]net
normalverkehr[.]com
nymsportsmen[.]com
oncalltechnical[.]com
onmnews[.]com
pgfabrics[.]com
pinaylizzie[.]com
profilepimpz[.]com
quickoffice360[.]com
redactnews[.]com
reformporta[.]com
richwoodgrill[.]com
riversidebreakingnews[.]com
rpcgenetics[.]com
sangkayrealnews[.]com
shreyaninfotech[.]com
smldatacenter[.]com
spencerinfo[.]net
starlightstar[.]com
tasensors[.]com
techoilproducts[.]com
thelocaltribe[.]com
tigermm[.]com
tigernewsmedia[.]com
tophooks[.]org
truckingaccidentattorneyblog[.]com
truff-evadee[.]com
tychonews[.]com
unixhonpo[.]com
usedownload[.]com
vanessalove[.]com
versaillesinfo[.]com
vopaklatinamerica[.]com
windowsfiledownload[.]com
xxmodkiufnsw[.]shop
365officemail[.]com
7gzi[.]com

Additional Staging Domains

https[:]//getfiledown[.]com/utdkt https[:]//versaillesinfo[.]com/brjwcabz
https[:]//lifeyomi[.]com/trkziu
https[:]//lebohdc[.]com/uleuodmm
https[:]//cdn7s65[.]z13[.]web[.]core[.]windows[.]net
https[:]//edupro4[.]z13[.]web[.]core[.]windows[.]net
https[:]//elevateecom[.]com/deqcehfg
https[:]//vabercoach[.]com/uenic
https[:]//artbykathrynmorin[.]com/lczjnmum

RedDelta Administration Servers

115.61.168[.]143
115.61.168[.]170
115.61.168[.]229
115.61.169[.]139
115.61.170[.]105
115.61.170[.]70
182.114.108[.]91
182.114.108[.]93
182.114.110[.]11
182.114.110[.]170

RedDelta C2 Servers (October–December 2024)

103.79.120[.]92
45.83.236[.]105
116.206.178[.]67
45.133.239[.]183
116.206.178[.]68
103.238.225[.]248
45.133.239[.]21
103.238.227[.]183
103.107.104[.]37
107.148.32[.]206
167.179.100[.]144
116.206.178[.]34
149.104.2[.]160
207.246.106[.]38
45.76.132[.]25
155.138.203[.]78
144.76.60[.]136
38.180.75[.]197
107.155.56[.]15
107.155.56[.]87
202.91.36[.]213
107.155.56[.]4
149.104.12[.]64
154.205.136[.]105
223.26.52[.]208
45.128.153[.]73
96.43.101[.]245
45.135.119[.]132
161.97.107[.]93
103.107.105[.]81
103.107.104[.]4
103.107.104[.]57
154.90.47[.]123
147.78.12[.]202

Original link: https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0109.pdf

FunkSec – Alleged Top Ransomware Group Powered by AI

Summary

The FunkSec ransomware group emerged in late 2024, quickly gaining notoriety for its aggressive tactics and high victim count, boasting over 85 victims in a single month. While their victim count is high, the group largely comprises inexperienced actors with potentially inflated numbers due to including recycled data from past hacktivist campaigns. Notably, the group uses AI in its operations, using AI-assisted malware development and an AI chatbot on the Miniapps platform for support. FunkSec displays characteristics of both hacktivist and cybercriminal activity, making their motives difficult to discern. Geographically, their activities and victims are concentrated in the United States and India. The group’s tools and low ransom demands, often as low as $10,000, have drawn attention in cybercrime forums.

Technical Details

  • Double extortion: The group employs double extortion tactics, stealing data before encrypting it to leverage both data exposure and system disruption for ransom payments.
  • Ransomware-as-a-Service (RaaS): FunkSec offers its ransomware as a service, indicating potential expansion and broader impact.
  • AI-assisted malware: The group leverages AI for malware development, resulting in rapid iteration of their custom encryptor.
  • Custom Encryptor: The encryptor is written in Rust and utilizes a combination of RSA and AES encryption. It targets files in the C:\ directory, appends the “.funksec” extension to encrypted files, and generates a “readme.me” ransom note. It also modifies the system environment, changing the desktop background to black.
  • Antivirus Evasion: FunkSec’s ransomware boasts a low detection rate by antivirus engines, highlighting its effectiveness in bypassing traditional security measures.
  • DDoS Tool: The group utilizes the “Scorpion DDoS Tool,” a Python-based tool designed for conducting Distributed Denial-of-Service (DDoS) attacks using HTTP or UDP flood methods.
  • HVNC Tool: FunkSec uses “JQRAXY_HVNC,” a C++ program for remote desktop management, automation, and data interaction.
  • Password Generation and Scraping Tool: They have a tool called “funkgenerate” that scrapes emails and passwords from URLs and generates new password suggestions.

Recommendations

  • Endpoint Protection: Implementing robust endpoint protection solutions is crucial to defend against FunkSec’s ransomware and prevent data compromise.

Hunting methods

No hunting methods are provided.

IOC

File Hashes:
c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c
66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd
dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac
b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb
5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd
e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22
20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d
dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966
7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603

Original link: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/

PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner

Summary

A vulnerability, potentially CVE-2024-4577, is being exploited on PHP servers running a PHP CGI script. The vulnerability allows attackers to execute arbitrary code via the PHP-CGI process. Attackers are leveraging this vulnerability to inject cryptocurrency miners into vulnerable servers. The attack begins with exploiting a command injection flaw to download a malicious executable named “dr0p.exe”. This executable then downloads another executable “pkt1.exe”, which in turn launches the cryptocurrency miner, “packetcrypt.exe”. The cryptocurrency being mined is PacketCrypt Classic (PKTC), a legacy proof-of-work coin.

Technical Details

  • Exploit Chain: The attack chain starts with exploiting a vulnerability (possibly CVE-2024-4577). It downloads dr0p.exe, which further downloads pkt1.exe, finally launching packetcrypt.exe for mining PKTC.
  • Command Injection: The vulnerability allows for command injection through PHP’s system() function.
  • Bypassing SSL: The attack includes bypassing SSL certificate verification while downloading malicious files.
  • Cryptocurrency Mining: The ultimate goal is to install a cryptocurrency miner on the vulnerable server to mine PKTC.
  • Downloader: The initial executable, dr0p.exe, functions as a downloader to fetch additional malicious components.
  • Exploitation of PHP-CGI: The attack likely targets servers running PHP CGI scripts that are publicly accessible.

Recommendations

  • Regular Patching: Regular security patching of web servers is crucial to mitigate such vulnerabilities.
  • Auditing: Regular security audits can help identify and address vulnerabilities and misconfigurations.
  • Patching CVE-2024-4577: PHP released patches for this vulnerability on June 6, 2024.

Hunting methods

DeviceProcessEvents
| where InitiatingProcessFileName == 'php-cgi.exe' //and FileName == 'cmd.exe'
| where InitiatingProcessCommandLine has_all ('allow_url_include=1', 'auto_prepend_file=php://input')
| join 
(
DeviceNetworkEvents
| where ActionType == 'InboundConnectionAccepted'
| where LocalIPType != 'Private'
) on DeviceId
| where datetime_diff('second', Timestamp, Timestamp1) between (-10 .. 10)
| summarize arg_min(Timestamp, Timestamp, ReportId, ReportId), tostring(make_set(FileName, 20)), tostring(make_set(ProcessCommandLine, 20)), tostring(make_set(LocalIP, 20)), tostring(make_set(InitiatingProcessFileName, 20)), InitiatingProcessCommandLines = tostring(make_set(InitiatingProcessCommandLine, 20)), tostring(make_set(InitiatingProcessParentFileName, 20)), EventReferences_CPE = make_set(strcat("DeviceProcessEvents: ", ReportId), 20), EventReferences_NCE = make_set(strcat("DeviceNetworkEvents: ", ReportId1), 20) by DeviceId
| extend EventReferences = set_union(EventReferences_CPE, EventReferences_NCE)
| project-away EventReferences_CPE, EventReferences_NCE

IOC

IP Address:
23.27.51.244

PKT Classic Wallet Address:
pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a

File Hashes:
e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562
d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36
717fe92a00ab25cae8a46265293e3d1f25b2326ecd31406e7a2821853c64d397

Original link: https://gbhackers.com/php-vulnerability-packetcrypt-mining/

Transaction Simulation Spoofing: A New Threat in Web3

Summary

Transaction Simulation Spoofing is a new attack vector targeting Web3 wallets. Attackers exploit the transaction simulation feature, which allows users to preview transactions before signing, by manipulating on-chain states during the simulation-execution time gap. This leads to a discrepancy between what users see in the simulation and the actual transaction outcome. In one incident, a user lost 143.45 ETH, approximately $463,895, after a phishing site manipulated the contract state. The user signed a transaction after a 30-second delay from the initial state change, resulting in complete wallet drainage despite a seemingly legitimate simulation.

Technical Details

  • Exploitation of Time Gap: The attack hinges on the time difference between transaction simulation and execution. This window allows attackers to modify the contract state without the user’s knowledge.
  • State Manipulation: Phishing sites can interact with smart contracts to alter their state, presenting a deceptive view during simulation.
  • Exploitation of User Trust: The attack leverages user trust in the simulation feature, which is designed to enhance transparency and security.

Recommendations

  • Dynamic Simulation Refresh: Web3 wallets should dynamically adjust the simulation refresh rate based on blockchain block times to ensure accuracy.
  • Forced Refresh: Force a simulation refresh before critical operations, such as signing a transaction.
  • Timestamp and Block Height Display: Wallets should display timestamps and block heights for simulation results to raise user awareness of potential discrepancies.
  • Expiration Warnings: Prominent warnings for simulation results exceeding a specific threshold should be implemented.
  • Phishing Contract Blocklist: Integrate blocklists from security service providers to prevent interactions with known malicious contracts.
  • Real-time Security Checks: Implement real-time checks for contract addresses to identify suspicious activity.
  • Risk Warnings: Display clear and prominent risk warnings for interactions with suspicious contracts.
  • Time-Sensitivity Emphasis: Clearly highlight the time-sensitive nature of simulation results.
  • Additional Confirmation Steps: Implement extra confirmation steps for high-risk operations.
  • Enhanced Risk Analysis: Provide more comprehensive transaction risk analysis information to users.
  • Simplified Security Alerts: Improve user attention by simplifying the presentation of security alerts.
  • Transaction Detail Verification: Users should double-check transaction details thoroughly before signing.
  • Independent Contract Verification: Verify all contract interactions through independent sources.
  • Skepticism towards “Free Claim” Offers: Maintain a healthy skepticism toward offers that seem too good to be true.
  • Use Trusted dApps: Stick to trusted and verified decentralized applications (dApps).
  • Security Tool Usage: Consider using security tools like the ScamSniffer extension for added protection.

Original Link: https://drops.scamsniffer.io/transaction-simulation-spoofing-a-new-threat-in-web3/