Premint malicious code injection attack details analysis

Attack details

Open any Premint project page, you can see a cdn.min.js injected into the page, look at the call stack the js is injected by boomerang.min.js, currently the s3-redwood-labs-premint-xyz.com domain name has stopped resolving, can not be accessed normally

Checking Whois, the domain was registered on 2022-07-16 with Tucows Domains Inc.

Opening virustotal.com, we can see that the domain name has previously resolved to CloudFlare

If you open the source code, you can see that boomerang.min.js a UI library used by Premint.

The js is under the s3-redwood-labs.premint.xyz domain, guessing that

  • Upload file interface has a vulnerability can upload any file to any Path (more common Web vulnerability)
  • hackers got their access to this Amazon S3 so that they can inject malicious code that
  • This third-party library is contaminated by supply chain attacks

Download the boomerang.min.js code,the front is normal code, but at the end there is a piece of encrypted code

This code is responsible for injecting the code s3-redwood-labs-premint-xyz.com/cdn.min.js into the page

Malicious code cdn.min.js

According to the code content, you can see that there is roughly by calling the interface of dappradar.com to query the user’s NFT assets list (previously we have also looked at malicious sites to query the user’s assets through debank,opensensea API, etc.)

If the user holds relevant NFT assets.

Malicious code will launch setApprovalForAll under the pretext of Two-step wallet verification to allow users to authorize the address returned by their back-end interface (attackers generally divert and control each address to 200 transactions in order to increase the cost of blocking, basically)

If the user clicked approve, the attacker will also call the monitoring code to notify itself that someone clicked

When there are no NFT assets at the user’s address, they will also try to initiate a direct request to transfer the assets in the wallet ETH.

Also this code variable name encrypted in _0xd289,_0x starts with a way that we have seen in play-otherside.orgthesaudisnfts.xyz and other phishing sites

Initiate a setApprovalForAll or direct transfer of ETH based on the user’s assets and prevent the user from debugging using developer tools.

How to prevent

So how to prevent it as a normal user? At this stage, MetaMask’s risk alert for ERC 721’s setApprovalForAll is not as good as ERC20’s approve.

Many new users do not perceive the risk of this behavior, but we as ordinary users see transactions with approve and the like must carefully open the authorization to the relevant address to see if the recent transactions of these addresses are abnormal (such as clear safeTransferFrom) to avoid mis-authorization!

This attack and the last Etherscan on Coinzilla using advertising injection malicious attack is quite similar, so is it technically possible to prevent?

Theoretically if the behavior and characteristics of some malicious js code are known.

  • The encryption method of the code
  • Key features of the malicious code
  • The code will be anti-debug
  • It will call opensea, debank, dappradar and other APIs to query user assets

Based on this library of behavioral features of malicious code, then we can try to detect the risk by detecting whether the page contains code with known malicious features before the client page initiates a transaction?

Or directly and more simply, set up a whitelist mechanism for common websites that are not transaction-based sites to initiate authorization, give enough risk alerts, etc.?

Next we (Scam Sniffer) will also try to explore how to prevent such attacks from happening on the client side!

Recent Articles

Related Stories