News

Water Labbu Hack Group Hacks Cryptocurrency Scam Sites

Researchers have again found a funny example of how hackers can attack other hackers: a hacking group known as Water Labbu hacks cryptocurrency scam sites and injects malicious JavaScript into the code that steals funds from scam victims.

Let me remind you that we also talked about, for example, that Hackers Attacked the British Company South Staffordshire Water, but Mistakenly Demanded Money from Another One, and also that Hackers Pretend to Be Journalists to Gain Access to Information.


Hacked scam site

This summer, the FBI warned of a scam using dApps (decentralized applications) that pretend to be cryptocurrency services that allegedly mine liquidity, but in fact steal crypto investments of naive users.

As Trend Micro experts have now discovered, the operators of fraudulent dApp sites have themselves become victims of hackers. The Water Labbu hacker group parasitizes on such resources, which finds “decentralized applications” on the network and injects malicious scripts into their websites.


Attack scheme

In one of the cases we analyzed, Water Labbu implemented an IMG tag to load a Base64 encoded JavaScript payload using the onerror event, allowing them to bypass XSS filters. The injected payload then created another script, which downloaded a third script from the tmpmeta[.]com server.the researchers write.

The final script tracks recently connected TetherUSD and Ethereum wallets on fraudulent sites, and then extracts their addresses and balances. If the balance exceeds 0.005 ETH or 22,000 USDT, the target is suitable for a Water Labbu attack.


Script that collects balances of connected wallets

Initially, the script determines whether the target is running on Windows or on a mobile OS (Android, iOS). If the victim is using a mobile device, the malicious script sends them a request to confirm the transaction through the dApp site, giving the impression that it came from the fraudulent resource itself. If the recipient confirms the transaction, the script will empty their wallet and transfer all funds to an address owned by Water Labbu operators.

If the victim is using Windows, the compromised sites will instead display a fake Flash Player update notification overlaid directly on the fraudulent site. This “Flash installer” is actually a backdoor downloaded directly from GitHub. Attackers use this malware in the same way to steal cryptocurrencies and cookies from target devices.

The researchers summarize that, unfortunately, for the victims, the result is the same in any case: they lose their funds, only the cryptocurrency ends up in the pockets of other hackers. Experts remind you that you should always carefully check any dApp sites, and especially liquidity mining platforms, and not connect your wallet to suspicious resources.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove News-bpudepi.today pop-up ads (Virus Removal Guide)

News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Doguhtam.xyz pop-up ads (Virus Removal Guide)

Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove News-xlixoti pop-up ads (Virus Removal Guide)

News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…

1 day ago

Remove Ducesousightion pop-up ads (Virus Removal Guide)

Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove News-xlabica.live pop-up ads (Virus Removal Guide)

News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…

1 day ago

Remove Mergechain.co.in pop-up ads (Virus Removal Guide)

Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…

1 day ago