Smart, obfuscated malware code: According to OX, the malicious phishing and wallet-stealing code is “highly obfuscated” and resides within the “eleven.js” JavaScript file in the repository.The threat actor used “watery-compost[.]today” to host a C2 server to collect information (including wallet address, transaction value, and name) and drain wallets once they were connected. Commands used by the C2 include PromtTx, Approved, and Declined. Additionally, the malware code includes a “nuke” function that deletes wallet-stealing information from the browser’s local storage to avoid detection and forensics, the researchers added.The address “0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5” was extracted from the code and identified as the threat actor’s wallet used to receive stolen cryptocurrency. The phishing page (“token-claw[.]xyz”) was said to support multiple crypto wallets, including WalletConnect, MetaMask, Trust Wallet, OKX Wallet, and Bybit Wallet.OX researchers recommended blocking the phishing domain from all environments, refraining from connecting crypto wallets to untrusted websites, and treating token giveaway issues from unknown sources as suspicious. Users should also review any recent wallet connections associated with the campaign and revoke all approvals immediately to stay protected.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4150456/github-phishers-use-fake-openclaw-tokens-to-drain-crypto-wallets.html
