Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label THORChain. Show all posts

Hackers from China's 'Mustang Panda' were Utilizing New 'Hodur' Malware

 

Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta), a China-based advanced persistent threat (APT), has been traced to an ongoing cyberattack campaign using a formerly undocumented variation of the PlugX remote access trojan on affected workstations mostly in and around Southeast Asia. For its similarities to another PlugX (aka Korplug) variation called THOR which surfaced in July 2021, slovak cybersecurity firm ESET termed the current version Hodur. 

Korplug is a proprietary virus used widely, it was initially uncovered in a 2020 investigation that looked into Chinese hackers' activities against Australian targets. Mustang Panda employs phishing lures with counterfeit papers to target European embassies, ISPs (Internet Service Providers), and research institutes in the most recent known campaign, according to cybersecurity firm ESET. "Anti-analysis measures and control-flow obfuscation are used at every level of the deployment process," the firm told.

Hodur is based on PlugX, a remote access tool that "allows remote users to steal data or take control of impacted systems without authorization. It can copy, move, rename, execute, and delete files, as well as log keystrokes and fingerprint the infected system." The infections end with the implementation of the Hodur backdoor on the infected Windows host, irrespective of the phishing lure used. 

As formerly stated, the campaign begins simply, with the group phishing its targets using current events. Proofpoint identified it using a NATO diplomat's email address to send out.ZIP and.EXE files labeled "Situation at the EU Borders with Ukraine" last month. If a victim accepts the bait, a legitimate, properly signed executable prone to DLL search-order hijacking will be delivered. Russia, Greece, Cyprus, South Africa, Vietnam, Mongolia, Myanmar, and South Sudan are the countries targeted in this campaign. 

ESET claims to have sampled sophisticated custom loaders as well as new Korplug (Hodur) versions still using DLL side-loading but has considerably more robust obfuscation and anti-analysis techniques across the infection chain. The side-loading custom DLL loader uses a digitally-signed genuine executable, in this case, a SmadAV file, and leverages a known flaw. Except for one, which loads the new Korplug variation, the loader's many functions are all fake. 

As it is a Chinese actor with a history of pursuing higher political espionage purposes, the scope of its targeting should be rather consistent.

THORChain Suffers Another Major Hack Totaling $8M

 

Popular cross-chain liquidity exchange THORChain has been hit by another exploit, this time costing around $8 million, suffering a second security breach in two weeks. 

After the hack, THORChain tweeted that it suffered a “sophisticated attack” on its ETH router where nearly $8 million were stolen from them.

“THORChain has suffered a sophisticated attack on the ETH Router, around $8m. Hacker deliberately limited their impact, seemingly a Whitehat. ETH will be halted until it can be peer-reviewed with audit partners, as a priority. LPs in the ERC-20 pools will be subsidized,” THORChain tweeted.

The ETH router controls the movement of Ethereum-based tokens through THORChain cross-chain decentralized exchange.

“The Whitehat requested a 10% bounty – which will be awarded if they reach out, and they should be encouraged to do so.”

Threat actors warned that they discovered “multiple critical issues” and could have struck much greater damage, such as embezzling large amounts of Bitcoin, Binance Coin, Lycan coin, and many other cryptocurrencies.

Just seven days ago, THORChain suffered another multi-million security breach. The loss was
estimated at about 13,000 ETH (around $25 million). Later, however, this was revised on Twitter, with the project claiming, “At this stage, the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be made whole in the coming weeks.”

Following last week’s hack, THORChain said it had been audited by multiple blockchain security companies to discover vulnerabilities in a given network. The DeFi protocol promised that the treasury has the necessary funds to compensate all victims and asked for the hackers to get in touch. 

“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss the return of funds and a bounty commensurate with the discovery,” THORChain added.

THORChain, now with a market worth of $841 million, was founded in 2018 and is a decentralized liquidity protocol that allows for swapping native assets between different blockchains. The cross-chain decentralized exchange would restart its network, donate funds back into the ETH pool to restore the lost funds, release the automatic-solvency checker, and work with security firms to audit.

THORChain Suffers $7.6 Million Loss in Latest DeFi Exploit

 

Popular cross-chain liquidity exchange THORChain got compromised in a new DeFi hack where $7.6 million were stolen, suffering a second security breach in less than a month. 

THORChain announced the security breach on Twitter and initially estimated the loss at about 13,000 ETH (around $25 million). Later, however, this was revised on Twitter, with the project claiming, “At this stage, the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be made whole in the coming weeks.” 

According to the project team, attackers exploited the vulnerability in the Bifrost protocol which allowed them to redirect ETH tokens to their own accounts. Bifrost is a multi-chain DeFi protocol that enables multichain connectivity by building a bridge between blockchains. Bifrost ETH was recently updated for better composability.

In the THORChain community Telegram channel, administrators have suggested the project has the funds needed to cover users’ stolen assets but articulated a preference for the hacker to return the stolen funds in exchange for a bug bounty. 

“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss return of funds and a bounty commensurate with the discovery,” a Telegram post stated, adding that user funds “will be available when the issue has been patched & the network resumes.”

As a precautionary measure, THORChain paused its network, with the team assuring users that only liquidity providers were affected. THORChain has since tweeted that its preliminary roadmap to recovery is underway, announcing that after the flaw is patched and the network is restarted, Ether will be donated to liquidity provider pools to reimburse impacted users. Thereon, the team plans to engage security firms to have its contracts audited. 

Today’s attack is not the first time THORChain has been targeted by hackers, during its Chaosnet deployment, it had lost around $140,000 worth of assets over the previous month. At the time, the project had claimed it was “very mature and resilient.”