Operation Cook: Massive Crypto Giveaway Campaign Impersonating Trust Wallet
By: Athul Harilal (Security Researcher) and Nobel Tan (Head of Engineering & Product)
In this article, we unravel the operations of the alleged threat actor group behind a large scale Crypto Giveaway campaign impersonating Trust Wallet. According to our investigation, we found the threat actors using 3 techniques to conduct their operation and they have been active since June 2020. We have found evidence hinting at laundering of funds through the Waves blockchain. Our intuition tells us that the threat actors could be of Indonesian origin due to the numerous Bahasa Indonesian words found during the analysis. We have shared the entire list of IOCs for interested individuals here.
During our investigation, we found 3 major techniques used by the threat actor group to conduct fake giveaways. We summarize the modus operandi of these techniques below.
Using this technique, the threat actor group lures the victims to a fake giveaway page such as app[.]trustwallet[.]rewards-erc20-airdrop[.]monster, whose response is illustrated in Figure 1. The victim is asked to enter their backup phrase in order to claim the tokens, which allows the threat actor to create a copy of the victim’s wallet and drain their funds.
The analysis of the html code block revealed that the victim’s backup phrase was being posted to a php application hosted within the same domain as the fake giveaway page. However, we also found instances where the backup phrase was sent to a domain different from the fake giveaway domain, that could be created specifically for accepting backup phrases as shown in Table 1.
We also observed a striking resemblance of the giveaway page with that of the decentralized exchange platform waves[.]exchange¹. Waves is a blockchain platform founded in 2016 which enables the creation of custom tokens that can be easily traded within their built in decentralized exchange (DEX) waves[.]exchange². Waves.exchange operates with coinomat[.]com gateway to introduce fiat cash into the Waves blockchain³. It operates as an instant exchange by interfacing with other centralized exchanges. Unlike centralized exchanges, Coinomat does not ask users for KYC⁴ information for crypto to fiat or vice versa conversion, and provides fast service. This appears to be lucrative to malicious actors.
Coming back to the striking resemblance, Fig 3 shows the variable WavesApp used by both waves.exchange and the giveaway page that contains configuration data such as ‘coinomat’ used for exchanging tokens to fiat, and state space information such as ‘state’ that represents the current state of WavesApp.
We also observe similarities between the UI of waves.exchange and the Giveaway page due to similar css files loaded as shown in Figure 4.
From the following, we can deduce that malicious actors could be laundering their funds through the Waves platform using waves.exchange and coinomat exchange for conversion to fiat or vice versa.
Using this technique, the malicious actors create a similar web page as the original Trust Wallet site, with an inclusion of the giveaway code block to claim crypto tokens. Figure 5 shows the response of one such giveaway site claimbnb[.]fun.
The html code block for claiming the giveaway tokens redirects the page to claim[.]html as shown in Fig 6, whose response is equivalent to the giveaway page response introduced in technique 1, running code base of waves.exchange in the background.
While most of the giveaway urls rendered a response shown in Fig 5, we also found some urls that served merely as a redirection to the giveaway landing page as shown in Fig 7. Table 2 lists a few landing pages we found, leveraging on hosting providers prohoster⁵ and 000webhostapp⁶.
Finally, analyzing the list of urls utilizing this technique, we found the majority of the giveaways using Binance Coin (BNB)⁷, followed by Stellar (XLM)⁸ and Ethereum (ETH)⁹.
Using this technique, the malicious actors have gone one step further from technique 2 by creating a similar page as the original Trust Wallet with very subtle differences. Upon inspection of the url alltrustedwallet[.]com, we found additional download links of Trust Wallet in comparison to the original Trust Wallet site as shown in Fig 8. The original Trust Wallet site does not have links for macOS and Windows.
Analysis of html code block revealed that the giveaway page hosted malicious versions of the Trust Wallet application for android, macOS and windows, shown in Fig 9. However, malicious actors hosted these applications only for a short duration of time. Virustotal identified the android version of Trust Wallet as malicious. We also found an article briefly summarizing the execution of TrustedWallet.apk¹⁰. However macOS and Windows version of impersonated Trust Wallet are still unknown.
Timeline of Malicious Actor Activity
We have summarized the activity of the threat actors in Figure 10 by mapping the number of giveaway URLs created for each technique, across the duration of their operation until the writing of this article.
We observe that the threat actor has been active since June 2020 using only the technique 1 based URLs in the beginning, while URLs related to techniques 2 and 3 were only observed since October 2020. In the first quarter of their operation, their activity peaked in July with 23 active URLs. However in the second quarter, they reached a new peak in October with 29, 126 and 1 active URLs across the 3 techniques respectively. We could only find 1 URL belonging to Technique 3 as of the writing of this article.
While most of the ip addresses that resolved to the giveaway URLs were short lived spanning only a few days, ip addresses 184.108.40.206 and 220.127.116.11 were fairly long lived spanning more than 3 months.
This operation is termed as Operation Cook because one of the domains of the threat actor returned the http response shown in Fig 11, which is derogatory in Bahasa Indonesian. This was our first clue regarding the origin of the threat actors. Later, we also found a number of other Bahasa Indonesian words upon analyzing the web files, such as (kata mutiara : ‘words of wisdom’, babi: ‘pig’, bakup: ‘backup’, pantek: ‘abstinence’). These factors contributed to our understanding of the threat actor origin.
Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea and Tokyo, Japan. Follow Uppsala Security on Telegram, LinkedIn, Twitter, Facebook and Medium.
 “Waves.Exchange.” https://waves.exchange/. Accessed 16 Nov. 2020.
 “What is Waves? (WAVES) | Kraken.” https://www.kraken.com/en-us/learn/what-is-waves. Accessed 17 Nov. 2020.
 “Coinomat — Exchange service for Waves Blockchain ….” https://en.bitcoinwiki.org/wiki/Coinomat. Accessed 17 Nov. 2020.
 “Latest News on KYC | Cointelegraph.” https://cointelegraph.com/tags/kyc. Accessed 17 Nov. 2020.
 “ProHoster: 🥇 Купить надежный хостинг для сайтов с ….” https://prohoster.biz/. Accessed 16 Nov. 2020.
 “000WebHost.” https://www.000webhost.com/. Accessed 16 Nov. 2020.
 “Use BNB | Binance.” https://www.binance.com/en/use-bnb. Accessed 16 Nov. 2020.
 “Lumens — Stellar.” https://www.stellar.org/lumens?locale=en. Accessed 16 Nov. 2020.
 “Home | ethereum.org.” https://ethereum.org/en/. Accessed 16 Nov. 2020.
 “Android Quickie: TrustedWallet Impersonation — Tilden Swans ….” 10 Nov. 2020, https://sansatart.medium.com/android-quickie-trustedwallet-impersonation-3f0823a43f92. Accessed 16 Nov. 2020.