Introduction
HashDit has monitored a new Drainer As A Service (DaaS) product in the Crypto Scam industry, which calls themselves Perpetual Drainer.
Instead of the traditional way of tricking a victim to visit a scam / impersonation website where security tools can block these sites on the wallet level, the victim visits a website hosting Perpetual Drainer, where the wallet now will receive a request from a trusted origin bypassing checks.
Modus operandi
Perpetual Drainer will redirect victims to a reflected XSS exploit on a trusted origin, which then dynamically loads a script from Perpetual Drainer infrastructure that contains the actual drainer logic.
When this code executes, it rewrites the DOM to display a wallet connection prompt and causes all requests to the wallet extension to originate from the trusted origin, rather than the malicious origin.
Technical Details
Affiliates: These are individuals or entities that help distribute the malicious tool.
Main.js Script: Affiliates can include this script on their websites. When a user visits the site, this script will automatically load another script from a specific URL.
This immediately redirects users to a site with a Cross-Site Scripting (XSS) vulnerability.
XSS Domain: This is a domain that might appear trustworthy, The XSS vulnerability allows the attacker to execute malicious scripts on the user's browser.
Drainer.js: Once the user is redirected to the XSS domain, this script (drainer.js) is loaded from another URL. This script is the actual malicious code that performs the harmful actions.
** It is important to note here that transaction simulation or transaction data analysis can still flag this malicious transaction out.