Seed-Phrase Extractor [ Ledger, Trezor, BitBox & More ] [ Kaspersky wrote review + article ]

[RastaFarEye]

Price $25K lifetime

What you get with the purchase?
Uncrypted 32-bit EXE (size 95KB) written in C++ (no dependencies)
Panel Files (NodeJS backend + ElectronJS frontend)
The software only works on Windows 8/8.1, 10, or 11
Support & Updates for additional wallets at your request

What does it do?
The purpose is to get the seed-phrase of the target hardware wallet (currently Metamask, Coinbase Wallet, Coinomi, Atomic Wallet, Exodus, Bitbox, Ledger and Trezor (Web & App) is supported. When the target opens their wallet, they will see the lure page which appears above their target wallet. The lure page follows the target wallet window whenever it is moved, resized, minimized, or closed. There is no way for the user to close the lure page, as it will always appear for them. The purpose of this is that the user will be convinced their wallet profile was wiped, and they must enter their seed-phrase to restore the status of the wallet.

After the seed-phrase is entered, it will be sent to your panel & will appear in the table of detected wallets for the target PC. After this, the lure page will never appear when the target opens their wallet again. You have the option to enable or disable the lure page appearing at any given time.

The lure page embeds itself directly into the wallet window, so the user cannot tell that the page is not a part of the wallet.

Read more about it on Kaspersky blog -> https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

Цитата
Our analysis of the DoubleFinger loader and GreetingGhoul malware reveals a high level of sophistication and skill in crimeware development, akin to advanced persistent threats (APTs). The multi-staged, shellcode-style loader with steganographic capabilities, the use of Windows COM interfaces for stealthy execution, and the implementation of Process Doppelgänging for injection into remote processes all point to well-crafted and complex crimeware. The use of Microsoft WebView2 runtime to create counterfeit interfaces of cryptocurrency wallets further underscores the advanced techniques employed by the malware.

- Спасибо тебе серожа за мягких слов

Proof-of-Concept

Proof-of-Reward

Detections
scantime: https://avcheck.net/id/Dq7biFTrCK1n (0/26)
runtime: https://scanner.to/result/gzTNO6smIJ (4/21)

Escrow is Accepted
Write in PM

 

[RastaFarEye]

Any cheap Stealer would get wallet files & then you can use the passwords from the logs

Hardware wallets Ledger, Trezor, Bitbox store seed phrase encrypted in the device, not on the PC. Stealer won't get anything from them. Try it yourself before saying what you think, you don't know anything.

 

[phant0m]

So, to grab secret phrase you are showing clean scampage in browser, with url and everything else visible to victim. You could achieve same thing with normal HTML scampage lol.
DoubleFinger is using WebView to show fake page, there is no navbar on it, neither url or something else that user can spot with their own eyes, it acts just like normal Trezor or Ledger User interface.
Also, from screenshot you provided we can only see string definitions, memory allocation and some APIs who are non-related to core function of this tool and abilities it can provide.

I think your product is pure failure and not worth price you mentioned.

In the good manner of protecting forum users from being scammed and buying non-working products, Im calling out admins to check all of your tools that you are selling here.

 

[ghost_boy]

So, to grab secret phrase you are showing clean scampage in browser, with url and everything else visible to victim. You could achieve same thing with normal HTML scampage lol.
DoubleFinger is using WebView to show fake page, there is no navbar on it, neither url or something else that user can spot with their own eyes, it acts just like normal Trezor or Ledger User interface.
Also, from screenshot you provided we can only see string definitions, memory allocation and some APIs who are non-related to core function of this tool and abilities it can provide.

I think your product is pure failure and not worth price you mentioned.

In the good manner of protecting forum users from being scammed and buying non-working products, Im calling out admins to check all of your tools that you are selling here.

where can i find something similar that is good?

 

[phant0m]

where can i find something similar that is good?

Not sure, this was tailored malware for small scope of victims (APT work). You can make one for yourself if you are familiar with c/c++. Even C# will do the job.

 

[baykal]

вводите в заблуждение

[ 3 BTC Депозит ]

у вас нет депозита на форуме, уберите!

 

[ded9aw23]

вводите в заблуждение

у вас нет депозита на форуме, уберите!

Видимо он имел ввиду эксплойт.

 

[RastaFarEye]

вводите в заблуждение

у вас нет депозита на форуме, уберите!

 

[RastaFarEye]

So, to grab secret phrase you are showing clean scampage in browser, with url and everything else visible to victim. You could achieve same thing with normal HTML scampage lol.
DoubleFinger is using WebView to show fake page, there is no navbar on it, neither url or something else that user can spot with their own eyes, it acts just like normal Trezor or Ledger User interface.
Also, from screenshot you provided we can only see string definitions, memory allocation and some APIs who are non-related to core function of this tool and abilities it can provide.

I think your product is pure failure and not worth price you mentioned.

In the good manner of protecting forum users from being scammed and buying non-working products, Im calling out admins to check all of your tools that you are selling here.

I know, its common there is many people who are jealous of others success. It's normal

As noted in the analysis https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

“salamvsembratyamyazadehayustutlokeretodlyagadovveubilinashusferu.” Despite the weird transliteration, it roughly translates to: “Greetings to all brothers, I’m suffocating here, locker is for bastards, you’ve messed up our area of interest.



And then the part which calls WebView2



Me showing the overlay in Trezor Web Suite was a proof of concept for a customer that requested it to support Trezor for Web. Its main purpose is to overlay the EXE wallet software itself.

phant0m go flood someone elses topic, and just for you, I will provide the proof for the overlay in Ledger Live EXE software (non-browser/webfake or whatever beginner methods you are using)

I welcome Quake3 and other moderators who want to look at my product to do so, so phant0m can be reminded about how smart he is

 

[phant0m]

So it took you few weeks to answer my question. Nice. Now you got some some code and you changed it to normal GUI window lol...
Why dont you show it in action ?

 

[RastaFarEye]

So it took you few weeks to answer my question. Nice. Now you got some some code and you changed it to normal GUI window lol...
Why dont you show it in action ?

Because unlike you, I am busy. I have $100K deposit on exploit. I don't have time to write trash every sales topic on forums.

 

[phant0m]

Because unlike you, I am busy. I have $100K deposit on exploit. I don't have time to write trash every sales topic on forums.

Pf, still small money for "amount" of work you are putting in. Anyway, if anyone bought this please write me. I will reverse it and put light on this thread. IF it's legit, I will tip $10k to author.

 

[RastaFarEye]

Pf, still small money for "amount" of work you are putting in. Anyway, if anyone bought this please write me. I will reverse it and put light on this thread. IF it's legit, I will tip $10k to author.

P.S. You missed the most important part about why your brain is like peanuts. The article by Kaspersky was published on June 12, meanwhile, my thread on Exploit.IN (https://forum.exploit.in/topic/225143/) was published on May 14

 

[phant0m]

We all know that you work with mods, dont worry. My offer for $10k is still up, welcome.

 

[RastaFarEye]

We all know that you work with mods, dont worry. My offer for $10k is still up, welcome.

I reached out to Quake3 on Exploit.IN to write a review/reverse engineer for this project (just as he wrote Review about the DarkGate project) so you can see that there's a reason already 5 people bought this tool & nobody is unhappy. Nobody needs your $10K

 

[Vinki]

We all know that you work with mods, dont worry. My offer for $10k is still up, welcome.

мы все знаем, что ты дурачек который хочет получить "что-то" бесплатно. Иди делай что-то с собой уже в конце концов. Если хочешь перейти в блек, ну так и скажи. Вайтхет тупой

 

[phant0m]

мы все знаем, что ты дурачек который хочет получить "что-то" бесплатно. Иди делай что-то с собой уже в конце концов. Если хочешь перейти в блек, ну так и скажи. Вайтхет тупой

Lolz, chill dude :') I said i will tip him $10k if he provide me sample of his "stealer". I will reverse it, i dont need it for free

 

[Vinki]

Lolz, chill dude :') I said i will tip him $10k if he provide me sample of his "stealer". I will reverse it, i dont need it for free

да кому нахрен нужны твои 10к? Если любой эксперт или модератор может сделать это бесплатно? Тебе же ясно дали понять, что он даст Quake3.

 

[RastaFarEye]

Lolz, chill dude :') I said i will tip him $10k if he provide me sample of his "stealer". I will reverse it, i dont need it for free

But nobody needs your $10K. Also the price is $25K not $10K, there is no discounts.

 

[phant0m]

But nobody needs your $10K. Also the price is $25K not $10K, there is no discounts.

I said i will tip you $10k if you code makes any sense after reversing it. Never wanted to test your shit, since I know it doesnt work.