News

Water Labbu Hack Group Hacks Cryptocurrency Scam Sites

Researchers have again found a funny example of how hackers can attack other hackers: a hacking group known as Water Labbu hacks cryptocurrency scam sites and injects malicious JavaScript into the code that steals funds from scam victims.

Let me remind you that we also talked about, for example, that Hackers Attacked the British Company South Staffordshire Water, but Mistakenly Demanded Money from Another One, and also that Hackers Pretend to Be Journalists to Gain Access to Information.

Hack band Water Labbu
Hacked scam site

This summer, the FBI warned of a scam using dApps (decentralized applications) that pretend to be cryptocurrency services that allegedly mine liquidity, but in fact steal crypto investments of naive users.

As Trend Micro experts have now discovered, the operators of fraudulent dApp sites have themselves become victims of hackers. The Water Labbu hacker group parasitizes on such resources, which finds “decentralized applications” on the network and injects malicious scripts into their websites.

Hack band Water Labbu
Attack scheme

In one of the cases we analyzed, Water Labbu implemented an IMG tag to load a Base64 encoded JavaScript payload using the onerror event, allowing them to bypass XSS filters. The injected payload then created another script, which downloaded a third script from the tmpmeta[.]com server.the researchers write.

The final script tracks recently connected TetherUSD and Ethereum wallets on fraudulent sites, and then extracts their addresses and balances. If the balance exceeds 0.005 ETH or 22,000 USDT, the target is suitable for a Water Labbu attack.

Hack band Water Labbu
Script that collects balances of connected wallets

Initially, the script determines whether the target is running on Windows or on a mobile OS (Android, iOS). If the victim is using a mobile device, the malicious script sends them a request to confirm the transaction through the dApp site, giving the impression that it came from the fraudulent resource itself. If the recipient confirms the transaction, the script will empty their wallet and transfer all funds to an address owned by Water Labbu operators.

Hack band Water Labbu

If the victim is using Windows, the compromised sites will instead display a fake Flash Player update notification overlaid directly on the fraudulent site. This “Flash installer” is actually a backdoor downloaded directly from GitHub. Attackers use this malware in the same way to steal cryptocurrencies and cookies from target devices.

The researchers summarize that, unfortunately, for the victims, the result is the same in any case: they lose their funds, only the cryptocurrency ends up in the pockets of other hackers. Experts remind you that you should always carefully check any dApp sites, and especially liquidity mining platforms, and not connect your wallet to suspicious resources.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button