AngelX (Infostealer) – Malware

Overview

AngelX is a newly discovered variant of the notorious Angel Drainer malware, which has been designed to exploit vulnerabilities in the rapidly growing Web3 ecosystem. First detected by Blockaid’s Threat Intelligence team during routine proactive scans on August 29, 2024, AngelX marks a significant evolution in cybercriminal tactics. The malware, still in its testing phase, was identified within a test decentralized application (dApp) that was likely never intended for public eyes. However, its discovery allowed Blockaid’s team to investigate and neutralize its impact before it could be widely deployed in the wild.

What sets AngelX apart from its predecessors is its enhanced functionality and ability to target previously unsupported blockchain networks, including the TON and TRON chains. With new features such as a sophisticated command-and-control (CNC) dashboard and improved cloaking mechanisms, AngelX makes it easier for attackers to execute and conceal their malicious activities. Notably, the malware also includes a seed-phrase-theft flow, a crucial element for gaining access to users’ crypto wallets. This combination of technical advancements ensures that AngelX is more evasive and effective than earlier iterations of the Angel Drainer toolkit.

Targets

Finance and Insurance

Individuals

How they operate

At its core, AngelX is a type of “drainer” malware, which is primarily used by cybercriminals to steal cryptocurrency and other sensitive information from users. The malware operates through decentralized applications (dApps), which are often used in the Web3 space to enable decentralized finance (DeFi) transactions and other blockchain-based operations. AngelX’s primary function is to drain funds from crypto wallets by tricking users into interacting with malicious dApps that appear legitimate but are secretly designed to capture private keys, seed phrases, and other critical information.

One of the most notable improvements in AngelX is its ability to target new, previously unsupported blockchain platforms. While older variants of Angel Drainer primarily focused on Ethereum-based networks, AngelX extends its reach to platforms such as TON (The Open Network) and TRON. This expansion significantly increases the number of potential targets, as it now includes a broader range of users and dApp ecosystems. The malware accomplishes this by leveraging custom smart contracts that integrate seamlessly with the targeted blockchains, allowing the attackers to drain funds from users without their knowledge.

AngelX employs a sophisticated command-and-control (CNC) dashboard, which acts as the central hub for managing and controlling infected dApps. This dashboard is accessible to the threat actors behind AngelX, giving them a high level of control over how the malware operates. The CNC panel allows the attackers to configure and deploy various aspects of the drainer, including selecting the target blockchain, defining the malicious flow of interactions, and monitoring the stolen data in real-time. The CNC system also provides analytics on the success rate of each scam, enabling attackers to optimize their strategies over time.

Another critical feature of AngelX is its enhanced cloaking mechanism. Traditional drainer malware often struggles to evade detection by security vendors, but AngelX includes advanced techniques that make it more difficult to identify. The malware can modify its behavior depending on the environment in which it operates, such as hiding its malicious activity within legitimate blockchain transactions or obscuring its presence by using decentralized hosting services. Additionally, AngelX incorporates anti-analysis measures, such as obfuscating its code and using encryption, which further complicates efforts to detect it using traditional security tools.

One of the most concerning aspects of AngelX is its ability to steal seed phrases from users, a critical component for accessing and controlling cryptocurrency wallets. The malware is designed to deceive users into inputting their private seed phrases into fake interfaces that mimic the legitimate wallet access screens. Once the seed phrase is captured, the attackers can gain full control over the user’s wallet, allowing them to transfer funds at will. This flow has been made more efficient in AngelX, making it harder for users to detect and interrupt the process before the seed phrase is compromised.

The malware’s evolution also includes support for a more streamlined deployment process, allowing scammers to launch new attacks more rapidly. By simplifying the steps necessary to create and distribute malicious dApps, AngelX makes it easier for even less technical attackers to take advantage of its capabilities. This lowers the barrier to entry for cybercriminals, making it more likely that the malware will be widely distributed and used.

In response to these technical advancements, security teams have been working to develop countermeasures and detection logic to protect users from AngelX. Early detection is crucial in preventing the widespread adoption of this malware, as it allows for the implementation of defenses before the malware gains traction among cybercriminals. By identifying new variants like AngelX during their testing phases, threat intelligence teams can stay ahead of attackers and reduce the risk posed by such advanced threats.

In conclusion, AngelX represents a significant step forward in the evolution of drainer malware. Its ability to target multiple blockchains, improve its evasion techniques, and steal critical user data makes it a formidable threat to the Web3 ecosystem. As cybercriminals continue to refine their tactics and tools, it becomes increasingly important for security teams to stay proactive in monitoring for emerging threats and implementing effective defenses.

MITRE Tactics and Techniques

Initial Access

Phishing (T1566): AngelX may begin its attack through phishing campaigns, tricking users into interacting with malicious decentralized applications (dApps) that appear legitimate.

Exploitation of Public-Facing Application (T1190): AngelX exploits vulnerabilities in public-facing dApps or blockchain-based applications to gain access to victims’ systems or crypto wallets.

Execution

User Execution (T1203): Once the victim interacts with the malicious dApp, AngelX is executed on their device, typically by tricking the user into performing actions such as inputting their seed phrase or private keys.

Persistence

Valid Accounts (T1078): AngelX can achieve persistence by stealing private credentials, such as seed phrases, which provide access to users’ crypto wallets for continued exploitation.

Privilege Escalation

Exploitation of Vulnerability (T1203): While AngelX primarily focuses on financial gain through draining wallets, there may be an indirect avenue for privilege escalation if the malware exploits vulnerabilities within blockchain wallets or dApps to escalate access.

Credential Access

Input Capture (T1056): The malware captures sensitive information like seed phrases and private keys entered by the victim during the malicious dApp interaction.

Brute Force (T1110): Although AngelX’s primary attack vector involves seed phrase theft, it may also employ brute-force techniques to guess weak passwords or seed phrases associated with wallets.

Collection

Data from Information Repositories (T1213): AngelX collects user credentials, seed phrases, and other sensitive data, which are stored in a command-and-control (CNC) system for later exploitation.

Command and Control (C2)

C2 Communication (T1071): AngelX communicates with its CNC server to receive commands, transmit stolen data, and allow attackers to manage and monitor ongoing scams.

Application Layer Protocol (T1071.001): The malware might use common web protocols like HTTP/S to communicate with the CNC, which helps it blend in with normal web traffic and evade detection.

Exfiltration

Exfiltration Over Command and Control Channel (T1041): Stolen seed phrases, private keys, and other sensitive data are exfiltrated from the victim’s system to the attacker’s control panel through the established C2 communication.

Impact

Data Manipulation (T1565): While AngelX primarily focuses on draining funds from victims, the manipulation of transaction data in blockchain applications could be part of the attack’s impact.

Inhibit System Recovery (T1490): If the malware allows the attackers to take control of cryptocurrency wallets, it may inhibit recovery by locking users out of their accounts through stolen credentials.

References

• Threat Report: AngelX