Security researchers have warned that crypto-stealing so-called “drainer” operators and affiliates are testing new ways to stay undetected and exploit wallets.
In their report on this crime type, crypto security experts from the Security Alliance (SEAL) said that even drainer affiliates are now leveraging high-reputation domains for landing pages and payload hosting, re-registering previously legitimate domains, and deploying advanced fingerprinting.
The aim is to thwart security researchers and distribute crypto drainers, a piece of malicious JavaScript that’s loaded into phishing sites.
According to SEAL, evasion strategies differ among affiliates of a given drainer family and are not necessarily enforced at the drainer service level.
"We still observe less experienced operators attempting to brute-force their way in with quick deployments of less sophisticated stacks, prioritizing quantity (a high number of registered domains) over quality (deploying sophisticated cloaking)," the researchers added.
Meanwhile, criminals are trying to gain access to legitimate businesses running ad campaigns and deploy malvertising directly from these compromised accounts, instead of setting up their own Google Ads accounts.
What’s more, according to SEAL, attackers can target specific regions, cities, or even demographics and language preferences, while also being able to filter “unwanted” traffic such as security researchers, sandboxes, or crawlers.
The report also looked into three drainers: Inferno, Rublevka, and Eleven Drainer.
Inferno Drainer is said to have been the most active among all drainer families, while some of its deployments have begun renaming the secureproxy file, likely in an attempt to defeat fingerprint-based analysis.
"This indicates that the drainer operators and affiliates are continuously refining their techniques to evade automation, and that further investigation is required," SEAL said.
The researchers were also informed about a new drainer, Eleven Drainer, which, similar to Rublevka, publicly details its operations, even offering a BMW M4 giveaway for its top affiliate. This includes a professional interview, which also serves as an advertisement for newly launched functionalities.
SEAL shared details of one such Russian-speaking interview, saying that it addresses various aspects of affiliate activity, history, and team building. In the interview, the top affiliate, who started scamming people in 2018, claimed that their first profit was only $200 and that they now work with a few “buddies.”
Information about phishing sites can be reported via Telegram to the SEAL Phishing Bot, while drainer-related information can be shared via the SEAL Tips Bot.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked