On January 3, 2024, Mandiant's X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page.
The following blog post provides additional insight into the drainer leveraged in this campaign, which we have dubbed CLINKSINK. Numerous actors have conducted campaigns since December 2023 that leverage the CLINKSINK drainer to steal funds and tokens from Solana cryptocurrency users.
Drainers are malicious scripts and smart contracts that actors can leverage to siphon funds and/or digital assets, such as non-fungible tokens from victims' cryptocurrency wallets after they are tricked into approving transactions.
The identified campaigns included at least 35 affiliate IDs that are associated with a common drainer-as-a-service, which uses CLINKSINK. The operator(s) of this DaaS provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds, typically around 20%. We estimate the total value of assets stolen by affiliates in these recent campaigns to be at least $900,000 USD. Overview of CLINKSINK Drainer Campaigns In some recently observed campaigns, threat actors used social media and chat applications, including X and Discord, to distribute cryptocurrency-themed phishing pages that entice victims to interact with the CLINKSINK drainer.
The observed CLINKSINK phishing domains and pages have leveraged a wide range of fake token airdrop-themed lures masquerading as legitimate cryptocurrency resources, such as Phantom, DappRadar, and BONK. These phishing pages have loaded the malicious CLINKSINK JavaScript drainer code to facilitate a connection to victim wallets and the subsequent theft of funds.
After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim.
Initial Analysis of CLINKSINK The analyzed CLINKSINK file is obfuscated by an unknown JavaScript obfuscator.
While some identified variants of CLINKSINK target multiple cryptocurrency wallets, this variant targets only Phantom.
Com containing additional wallet details and the CLINKSINK affiliate website.
Distribution of Stolen Solana Cryptocurrency Funds Mandiant identified recent CLINKSINK campaigns using at least 35 different affiliate IDs and 42 unique Solana wallet addresses.
The stolen funds are split between the affiliate and the service operator(s) based on a set percentage that is retrieved from the drainer service using the affiliate's ID. In these recent campaigns, a portion of funds were sent to the following Solana address, which we assess is associated with the DaaS operator: B8Y1dERnVNoUUXeXA4NaCHiB9htcukMSkfHrFsTMHA7h.
It is plausible that at least some of the funds sent to the operator's wallet could be from their own drainer campaigns and/or transfers of funds not subject to this percentage split.
Notably, the Rainbow Drainer service may have been active as early as December 2021 based on the creation date of the Telegram channel that it uses to provide information and updates regarding the service.
There are code overlaps between CLINKSINK samples and JavaScript code uploaded to pastebin.
Outlook and Implications Over the past year, Mandiant has observed a multitude of actors distributing drainers and advertising draining tools and services on underground forums, highlighting the popularity of cryptocurrency draining operations.
The apparent leak of the CLINKSINK source code could enable additional threat actors to conduct their own independent draining operations and/or set up further DaaS offerings for others to use.
The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors.
Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future.
YARA Rule The following CLINKSINK YARA rule is not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives.
This rule is intended to serve as a starting point for hunting efforts to identify CLINKSINK drainer activity; however, it may need adjustment over time.
This Cyber News was published on www.mandiant.com. Publication date: Thu, 11 Jan 2024 04:43:04 +0000