October 5, 2022

A threat group called ‘Water Labbu’ hacks into cryptocurrency scam sites to hijack transactions and steal money from the fraudster’s victims.

Hackers pose as dApps, decentralized applications known to offer liquidity mining services to steal from victims. Instead of creating their own scam sites, Water Labbu hack into the scam dApp websites and inject JavaScript code into the website’s HTML.

Once victims connect their wallet to the fake dApp, Water Labbu’s script detects if it contains many cryptocurrencies, and if so, it attempts to steal using multiple methods.

“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64-encoded JavaScript payload using the “onerror” event, in what is known as an XSS evasion technique to bypass Cross-Site Scripting (XSS) filters. The injected payload then creates another script element that loads another script from the delivery server tmpmeta [.] com,” Trend Micro’s report states.

The script used by the attacker monitors newly connected wallets on the scam sites. It also retrieves the address and accounts of TetherUSD and Ethereum wallets. Once the account balance is above 0.005 ETH or 22,000 USDT, the target is valid for Water Labbu, and the script then determines whether the victim is using Windows or a mobile OS (Android, iOS).

If the victim agrees to the transaction, the malicious script will empty the wallet of its funds and send them to an address owned by Labbu.

To avoid this crypto scam, it is important that users research dApp websites, especially liquidity mining platforms, to see if they are legitimate before connecting their wallets to them.

The sources for this piece include an article in BleepingComputer.