Full Report
LevelBlue SpiderLabs’ Cyber Threat Intelligence Team continues to observe a progressive convergence between traditional cybercrime activity and attacks targeting cryptocurrency users.
Analysis Summary
# Tool/Technique: StepDrainer & EtherRAT (Crypto Drainer Convergence)
## Overview
This report details the convergence of traditional cybercrime (commodity malware) with decentralized finance (DeFi) theft. It focuses on two primary threats: **StepDrainer**, a sophisticated multichain asset extractor, and **EtherRAT**, a hybrid Windows implant. These tools represent a shift toward "Drainer-as-a-Service" (DaaS) models that integrate with existing malware delivery pipelines.
## Technical Details
- **Type:** Malware Family (Crypto Drainer and Remote Access Trojan)
- **Platform:** Web-based (Multichain), Windows
- **Capabilities:** Automated asset extraction, multichain support, social engineering, remote access, stealthy persistence.
- **First Seen:** Approximately 2024 (based on the maturation of the observed "Drainer-as-a-Service" economy).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link] (Fake trading portals)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File] (Trojanized TFTP installers)
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers] (Wallet extension targeting)
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service] (Automated transfer of blockchain assets)
## Functionality
### Core Capabilities
- **Multichain Support:** StepDrainer operates across 20+ networks including Ethereum (ETH), BNB Chain, Arbitrum, and Polygon.
- **Automated Extraction:** Identifies and prioritizes the highest-value holdings in a connected wallet for immediate transfer.
- **Smart Contract Abuse:** Leverages "write-off" methods such as Seaport, Permit v2, and IncreaseAllowance to trick users into signing away asset control.
- **Hybrid Delivery:** EtherRAT uses traditional malware tradecraft (trojanized installers) to drop crypto-stealing payloads.
### Advanced Features
- **Library Hijacking:** Abuse of legitimate Web3 frameworks like **Web3Modal** to present convincing, responsive wallet-connection interfaces.
- **Evasive Social Engineering:** Use of high-fidelity lures, including market charts, portfolio elements, and mobile-responsive layouts that mimic legitimate fintech dashboards.
- **DaaS Model:** Turnkey kits lower the barrier to entry, allowing non-specialist actors to incorporate draining into standard botnet operations.
## Indicators of Compromise
*Note: Specific hashes were truncated in the source text, but the following patterns are identified.*
- **File Names:** Trojanized TFTP installers, `EtherRAT.exe` (or variants), `StepDrainer` JS payloads.
- **Network Indicators:**
- hxxps[://]stepdrainer[.]io (and associated DaaS domains)
- Various phishing domains mimicking DEXs (Uniswap, PancakeSwap clones).
- **Behavioral Indicators:**
- Unsolicited "Permit" or "Approval" signatures requested by non-standard smart contracts.
- Unexpected TFTP outbound traffic from Windows endpoints.
## Associated Threat Actors
- **MioLab (Nova):** Associated with macOS-specific crypto-stealing campaigns.
- **ClickFix Operators:** Known for multi-stage stealer assaults that now integrate drainers.
- **Drainer-as-a-Service (DaaS) Developers:** Specialized groups providing the backend infrastructure for affiliates.
## Detection Methods
- **Signature-based:** Detection of known "Permit" and "IncreaseAllowance" malicious contract patterns.
- **Behavioral:**
- Monitoring for execution of trojanized TFTP/utility installers.
- Identifying web redirects from commodity malware C2s to crypto-themed phishing pages.
- **Network:** Monitoring for connections to known DaaS backend APIs.
## Mitigation Strategies
- **Prevention:** Use "Wallet Guard" or "Blockfence" browser extensions that simulate transactions before signing.
- **Hardening:** Disable auto-connect features in browser-based wallets; implement hardware security modules (HSMs) or cold storage for high-value assets.
- **Education:** Training users to recognize "Permit" and "Permit2" signature requests, which do not require gas but grant full access to tokens.
## Related Tools/Techniques
- **MioLab (Nova) Stealer:** Platform-specific macOS infostealer.
- **Seaport/Permit v2:** Legitimate protocols abused by drainers for "gasless" signature theft.
- **Infostealers:** Lumma, RedLine, and Vidar (often act as the initial delivery stage for drainer lures).