Premint malicious code injection attack details analysis

On July 17, according to the slow fog area intelligence feedback, Premint was attacked by hackers. The SlowMist security team conducts analysis and early warning at the first time.

Premint malicious code injection attack details analysis

This article is from the submission of Scam Sniffer, a partner in the Slow Mist Zone. The specific analysis is as follows:

Attack Details

Open any Premint project page, you can see that there is a cdn.min.js injected into the page, see the call stack, the js is created by [boomerang.min.js](https://s3-redwood-labs.premint.xyz/ theme/js/boomerang.min.js), the s3-redwood-labs-premint-xyz.com domain name has stopped parsing and cannot be accessed normally.

Premint malicious code injection attack details analysis

Check Whois, the domain name was registered with Tucows Domains Inc on 2022-07-16:

Premint malicious code injection attack details analysis

Open virustotal.com and you can see that the domain name has previously resolved to CloudFlare:

Premint malicious code injection attack details analysis

Open the source code and you can see that boomerang.min.js is a UI library used by Premint:

Premint malicious code injection attack details analysis

The js is under the s3-redwood-labs.premint.xyz domain name, guess:

  • There is a vulnerability in the upload file interface, which can upload any file to any Path (common web vulnerability)
  • Hackers gain access to their Amazon S3 so they can inject malicious code
  • This 3rd party library was tainted by a supply chain attack

Download the boomerang.min.js code. The front is normal code, but there is an encrypted code at the end:

Premint malicious code injection attack details analysis

This code is responsible for injecting the code s3-redwood-labs-premint-xyz.com/cdn.min.js into the page.

Malicious code cdn.min.js

Premint malicious code injection attack details analysis

Premint malicious code injection attack details analysis

Premint malicious code injection attack details analysis

According to the content of the code, it can be roughly seen that the user’s NFT asset list is queried by calling the interface of dappradar.com (previously, we have also seen malicious websites query user assets through Debank, Opensea’s API, etc.).

If the user holds the relevant NFT assets:

Premint malicious code injection attack details analysis

Premint malicious code injection attack details analysis

Malicious code will use the excuse of Two-step wallet verification to initiate setApprovalForAll to allow users to authorize the address returned by their backend interface (generally, in order to increase the ban cost, the attacker will basically divert and control each address within 200 transactions).

If the user clicks on Approve, the attacker will also call the monitoring code to notify himself that someone clicks:

Premint malicious code injection attack details analysis

If the user address has no NFT assets, it will also try to directly initiate an asset request to transfer ETH in the wallet:

Premint malicious code injection attack details analysis

In addition, this way of encrypting the variable name of the code to start with _0xd289 _0x has also been seen on phishing websites such as play-otherside.org and thesaudisnfts.xyz.

Initiate setApprovalForAll or transfer ETH directly based on user assets, and prevent users from using developer tools to debug.

Preventive way

Premint malicious code injection attack details analysis

So how can you prevent it as an ordinary user? At this stage, MetaMask’s risk warning for ERC 721’s setApprovalForAll is far less good than ERC20’s Approve.

Premint malicious code injection attack details analysis

Even if many new users cannot perceive the risk of this behavior, as ordinary users, we must carefully open the authorization to the relevant addresses when seeing transactions such as Approve, and check whether the recent transactions of these addresses are abnormal (such as all safeTransferFrom), Avoid wrong authorization!

This kind of attack is quite similar to the last time Coinzilla used ads to inject malicious attacks on Etherscan, so is it technically possible to prevent it?

Premint malicious code injection attack details analysis

In theory, if the behavior and characteristics of some malicious js code are known:

  • For example, the encryption method of the code
  • Malicious code key characteristics
  • The code will be debugged
  • Will call opensea, debank, dappradar and other APIs to query user assets

According to the behavioral feature library of these malicious codes, we can try to detect whether the page contains code with known malicious features to detect risks before the client web page initiates a transaction, or simply set up a whitelist mechanism for common websites , it is not a transaction website that initiates authorization, and gives enough risk reminders.

Next, Scam Sniffer and the SlowMist security team will also try to explore how to prevent such attacks on the client side!

Ps. Thanks to the author Scam Sniffer for the wonderful analysis!

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/premint-malicious-code-injection-attack-details-analysis/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-07-18 11:13
Next 2022-07-18 11:17

Related articles