Lazarus hits cryptocurrency exchange with fake installer and macOS malware 8610

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“[email protected]%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “[email protected]%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “[email protected][.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

New Idexo Zapier Integration Connects Over 5000 Web2 Applications to Web3 Unlocking Thousands of NFT Innovation Use Cases 2705

idexo is pleased to announce that it has successfully completed an integration with Zapier, enabling any app that connects to Zapier to connect to the blockchain and web3 across many different chains, and unlocking many thousands of new NFT innovation use cases. The idexo Zapier integration has launched in Beta phase and is available in the Zapier App Directory.

Applications of this integration include:

  • Mint an NFT any time a new row is added to a Google Sheet
  • Mint an NFT with an Email
  • Mint and gift new NFTs as part of drip marketing campaigns
  • Autogenerate early user Soulbound Tokens and participation-based NFTs based on product usage and other customer milestones
  • Trigger NFT mints on a time-based schedule or via webhook action from any application
  • Turn web2 tickets into web3 tickets
  • Create smart contracts via Google Form, Typeform, Wufoo, Gravity Forms and others
  • Create new NFT surveys and responses via any connected web form or survey application
  • Create new decentralized Business Intelligence and Reporting applications using NFTs
  • Create automated workflows that create NFT collections and NFTs within them and promote them on social media
  • Create audio NFTs from voice calls
  • Instantly back up new files from Google Drive, Dropbox and others to permanent decentralized storage on Arweave
  • Generate quotes and proposals as shareable NFTs
  • Autogenerate access and membership NFTs from traditional transactions
  • Organize journals and photos into NFT collections
  • Turn NFTs into printed items such as posters and t-shirts

How anyone can get started using this integration:

  • Register an idexo account
  • Find API key – this is what you need to enter when accessing your Zap
  • Add transaction credits and use them to purchase method credits necessary for making the integration transactions
  • Connect your Zaps using the Zapier interface. To try a simple one, connect a Google Sheet and trigger a new contract deployment and/or NFT mint using a new row in a sheet, or use a webform integration to create them using a simple form.
  • For smart contracts deployed, you can find them under the Contracts tab in the idexo app dashboard. For individual transactions such as minting NFTs, these will appear as a log under the API section under account settings.
  • If desired, set-up a trial account for one of idexo’s monthly plans to access advanced SaaS features and enhanced support

To support the creation of Zap templates, idexo will be holding an idexo Zap hackathon with details and dates to be announced soon.

“From our founding idexo has been focused on simplifying the process of integrating blockchain features into regular applications, opening up NFT innovation to the broader market of creative entrepreneurs,” says Greg Marlin, CEO/CTO of idexo, “We started with simplifying everything down to one line of code and straightforward naming back in early 2021. We’ve always strived to make it easy for anyone, including non-coders to achieve great applications. This aligns perfectly with Zapier’s mission to help people build no-code applications and they’ve done an amazing job of enabling that and attracting such a large number of connected apps. We’re excited to see what people build with these new integrations that connect the Zapier ecosystem with an ever-growing idexo library of available smart contracts, layer 1 and layer 2 blockchains, and web3 and NFT integrations.”

To get started with the idexo Zapier integration, users can first register a free account to obtain an API key and add the necessary transaction and method credits to perform transactions. For more information, users and companies can find documentation links and book a guided demo on the idexo website.

ABOUT IDEXO

Idexo envisions a world where decentralized applications pervade every industry in the $88Trillion/year world economy the way the Internet does.

Idexo’s mission is to empower innovators to create these industry-disrupting applications.

Win $150,000 USDT with CoinFloww Beta Launch 3188

2022 09 10 в 15 16 10

Digital asset trading has long suffered due to high crypto exchange transaction fees, regulatory hurdles by regulators, and stringent crypto exchange rules. Then came CoinFloww, the most advanced digital asset exchange.

Based on the world-class digital asset exchange technology, CoinFloww is proud to launch at a time when crypto exchanges are fighting for rights and struggling with a fraught market.

The team behind CoinFloww Exchange is constantly improving our UX and UI so our users can have extraordinary trade experiences. Our new UX and UI design of CoinFloww will be updated soon.

Rather than profiteering on crypto startups, CoinFloww is on a mission to nurture and patronise upcoming projects. CoinFloww does not charge any listing fee and offers reasonable promotional packages.

Derivative users are often left behind in the crypto ecosystem, but CoinFloww Exchange is a platform that truly caters to derivative traders with up to 300x leverage.

CoinFloww is not just a digital asset exchange; it is more than that. Besides typical digital asset exchange functions, CoinFloww has a roadmap of becoming a one-stop application for the crypto user to gain financial freedom.

CoinFloww has recently announced its whooping 150k USD prize pool. Any CoinFloww user can participate in the CoinFloww Bug Bounty Program to win our prize pool of $150,000.

ChocoDoge isn’t Just a Game, it’s a Complete Ecosystem with Exciting Opportunities 2940

1 2022 09 11 в 0 01 51

The last few years have witnessed a tremendous rise in the GameFi space in terms of revenue and user base. We now have several popular titles, but the craze for most of these tends to subside after a while. It’s mainly because these are centered around the game and do not focus on the other aspects of the domain. And this led to the creation of ChocoDoge, an NFT GameFi project on the Dogechain.

ChocoDoge is an NFT Gamefi project on Dogechain. But that is only the tip of the iceberg. In order to guarantee the project’s long-term stability and financial security, ChocoDoge team additionally provide Defi products with alluring profit margins.

The team at ChocoDoge has developed an extensive project encompassing the various domains in the space. In addition to the NFT game, users can benefit from several DeFi products offering excellent returns on the ChocoDoge ecosystem. There are bonds, a dedicated bank, and farms, but one that has been actively promoted by the team and provides considerable returns is Staking. And that’s what we will be focussing on here.

Staking on ChocoDoge

Staking is when you lock crypto assets for a set period of time to help support the operation of a blockchain and earn passive income. The idea is simple, users deposit their holding (or even a part of it) into the staking pool and are then required to validate the transaction. And it works because users have their investments at stake, and any mistake or mischievous activity on their part will tend to affect their holding as well. It keeps them going and instills a sense of responsibility. The person doing this is referred to as the validator and earns steady rewards from the blockchain for the contribution.

But, you don’t necessarily need to verify transactions or be actively involved to earn the staking rewards. De-Fi projects, these days, offer investors the option to simply stake their holdings and, in turn, receive a steady stream of rewards. And there’s generally a locking period before which the holdings can’t be withdrawn from the pool.

ChocoDoge, too, works on the same idea, the only difference being that the staking process is a lot simpler and delivers a higher return. It can ensure that by employing advanced protocols and building a token-based economy where the supply is favorably modified automatically based on the market trends.

Another aspect that makes staking on ChocoDoge profitable is that users stake USCD while they receive USDC’s rate of return. USDC is one of the popular stablecoins pegged to the US dollar, with a market cap of $54 billion, and is managed by members from CoinBase and Bitmain. And the best part, there’s no Locking Period on ChocoDoge. So users can withdraw their holding from the staking pool at will, though the key is to leave the funds for a more extended period to earn higher returns.

2 2022 09 11 в 0 02 13

The details for Staking Season 1 are as follows:

From: 2022/09/10, 00:00 GMT
To: 2022/09/24 00:00 GMT
Token to be staked: USCD
Rewards: 50,000 USDC

So, go ahead and stake as many USCD to earn the best returns in the market, that, too, in the form of USDC stablecoin, considered one of the safest investments.

About the ChocoDoge Bank

The ChocoDoge bank allows CD holders to stake their tokens and earn rewards in the form of USCD after each epoch if the Time-weighted Average Price of USCD is greater than that of USDC. The duration of each epoch on ChocoDoge is 4 hours, and actions undertaken here lead to 12-epoch locks for withdrawing CD tokens, while for USCD, the lock period is 6 epochs.

USCD is not a stablecoin backed by fiat or cryptocurrency, the token has employed advanced protocols and stability mechanisms to ensure a $1 peg. After the initial expansion and the project acquiring relative stability, the USCD token will also facilitate transactions, including in-game and in-app purchases.

Holding a CD or the ChocoDoge Share provides several other benefits. The primary is voting on critical changes to the platform, including bonuses and rewards. Since ChocoDoge works as a DAO, anyone holding a CD will have the right to vote. If you possess the right intellect and experience to navigate the project through the initial phase to success, acquire as many CD tokens as you can, and become a prominent voice in the community. And remember, the total supply of ChocoDoge Share is capped at 200,000.

To find out more about ChocoDoge, visit the official website: https://chocodoge.dog/

Also, follow ChocoDoge on social channels to stay updated with the latest developments and releases.

Twitter: https://twitter.com/ChocoDoge_
Telegram (Group): https://t.me/ChocoDogeChat
Telegram (Announcement Channel): https://t.me/chocodogechannel
YouTube: https://www.youtube.com/channel/UCSQineQdatnjXM9o91wqahA

Crypto E-Commerce – Shopping․io Introduces $SHOP Back 2823

Crypto E-commerce giant, Shopping.io is streamlining its operations. On September 9th 2022, Shopping.io will be airdropping its new native utility token – $SHOP to the holders of $SPI and $GSPI. To celebrate the launch, Shopping.io is hosting multiple events offering major benefits including 20% $SHOP back rewards and exciting giveaways!

Shop Online Using Nothing but Crypto!

In 2020, retail e-commerce sales worldwide topped $4.28 trillion, according to Statista, a 27.6% increase on the previous year. By 2022, e-retail revenue is projected to grow to an impressive $5.4 trillion, as consumers move more of their shopping online. In addition, as of 2021, there are over 300 million crypto users worldwide and over 18,000 businesses that have already begun accepting cryptocurrencies as forms of payment.

September 2020 – Shopping.io launches version 1.0 of its platform giving holders the ability to pay for concierge online shopping services with their crypto for the first time. The website enabled purchases of tangible goods via major retailers such as: Amazon, eBay and Walmart, delivering to a handful of destinations around the globe. The platform’s traction was instantly recognizsable even with its limited functionality and was the proof-of-concept Shopping.io needed in order to justify its growth.

Fast forward two years and Shopping.io has two native utility tokens; $SPI and $GSPI (wWith another merged utility token on the way), an NFT set, and a plethora of new payment options under its belt, including: Binancacne Pay, Crypto.com, CoinbBase Commerce and Utrust. These major developments were also accented by the increase in the amount of destinations orders could be sent to.

Shopping.io is now on the cusp of its biggest development to date. Following months of work and testing, Shopping.io is upgrading its platform and launching a more robust, well-rounded ecosystem consisting of a Metaverse mall titled The Shopverse and a Shopping.io web extension facilitating purchases through almost every online store. This overhaul, however, would be incomplete without the release of Shopping.io’s new native token: -$SHOP!.

Introducing the $SHOP Token

In late 2021, Shopping.io found itself with two native tokens that were originally designed to improve users’ experience and governance on the platform. The company however, felt that further improvements to its tokens and their use case within the platform were necessary in order to achieve the ‘token platform relationship’ previously envisioned.

With 2022’s inception came the first internal proposal for the merging of Shopping.io’s current tokens into one ‘do it all’ token. Shopping.io presented its idea for $SHOP in May 2022 paired with the tokens shift in platform utility and tokenomics. The merge of $SPI and $GSPI was put to a community vote, ending in an overwhelming 97% approval rate, opening the door for development on $SHOP’s smart contracts to commence.

Following its launch, $SHOP will inherit the functionalities that $G/SPI currently perform within the ecosystem such as offering discounts, voting, and free international shipping when used as a form of payment within the platform. In addition to these already present utilities, $SHOP’s improved tokenomics and flexible smart contract has allowed Shopping.io to create its state of the art $SHOP Back system that will make its debut on September 9th, and will star in the first of the platform’s $SHOP launch events.

The $SHOP token is designed to reflect the success of the ecosystem thanks to its quantitative burn/mint mechanism. This mechanism creates a direct correlation between the use of the ecosystem and the circulating supply of the token, giving a deeper meaning to the phrase “sShop to earn”.

20% $SHOP Back Event

Shopping.io is launching $SHOP on September 9th, 2022, alongside a selection of platform oriented events; the first of which being a 20% $SHOP Back event that will commence on September 10th, 5 PM CET. The $SHOP Back event will be held for 48 hours giving shoppers the ability to earn an additional 20% of their order value back in $SHOP with the use of selected tokens such as $ETH, $APE and $AVAX as a form of payment.

$SHOP Membership Raffle Event

Shopping.io will unveil $SHOP’s membership platform on the day of the tokens launch, allowing both seasoned community members and newcomers to lock their $SHOP rewards and become a part of the Shopping.io ecosystem. $SHOP’s membership program consists of five tiers, with each package’s benefits being accessible through the locking of a corresponding amount of $SHOP for a three month period. These benefits enhance the shopping experience by activating increased $SHOP Back rewards, aAirdrop rewards, and free shipping. To celebrateboost the membership program’s launch, Shopping.io is holding a month-long staking raffle event for members only!, giving members Thisthe This opportunity gives members the chance to win prizes in addition to their already present platform benefits. Prizes include gift cards, $SHOP credits, access to Shopping.io’s Galaxy membership tier, an iPhone 13 Pro, and the Golden Ape from the Villager of XOLO NFT set.

Shopping.io envisions a future where people have the flexibility to buy anything with anything.

RFOX Launches the RFOX Metahack 2022, a Web 3.0 Hackathon Presented by Padang & Co 3054

1 2022 09 08 в 10 15 29

Metaverse company RFOX has introduced the RFOX Metahack 2022, a hackathon that will foster the development of creative Web 3.0 solutions to important challenges in the quest to shape the future of the Internet. Interested innovators can submit their applications to the hackathon on the RFOX Metahack 2022 website until September 30, 2022, at 11:59pm (GMT+8).

The RFOX Metahack 2022 aims to bring together innovative, talented individuals and teams who understand technologies like blockchain, crypto, and DeFi. The hackathon also serves as an avenue through which the RFOX ecosystem can help empower everyone to play, create, and earn in an immersive metaverse without borders.

The RFOX Metahack 2022 welcomes innovators to work with existing tools within the RFOX ecosystem and build new products and services to expand it. This virtual hackathon, presented by Padang & Co, and in partnership with AIKON, invites innovators to solve business problems and address new opportunities with the AI, blockchain, augmented reality, virtual reality, and Internet of Things spaces that can be incorporated into RFOX product roadmap.

Challenge Statements for RFOX Metahack 2022

There are six challenge statements featured in the RFOX Metahack 2022, representing the focus areas for innovation that hackathon participants can work on:

1. Mobile Games. Create mobile games – puzzles, arcade games, platformers, table-top games (checkers, chess, etc.) – implementing a play-to-earn mechanism using the blockchain and RFOX token.
2. Games SDK. Build a software development kit (SDK) that enables the creation of mobile games for players. Special consideration will be given for games that provide utility for KOGs NFTs (Keys to Other Games) and Choobs. KOGs can be represented in various ways: as cards, characters, miniatures, etc.
3. NFT Factory SDK. Create an NFT factory will enable anyone to create and share an NFT collection on a known marketplace.
4. RFOX Companion. Develop an RFOX mobile companion on Android or iOS. This app will be used by RFOX ID holders and will be a way to keep users connected to RFOX, anywhere and everywhere.
5. RFOX VALT (Metaverse) Connected Worlds SDK. Construct 3D worlds using the Unity Game Engine and demonstrate how to move resources between different 3D worlds.
6. RFOX VALT (Metaverse) SHOP Construction Set. build a user interface (UI) using the Unity Game Engine that will enable users to build their own shop. This shop will later be part of the RFOX VALT metaverse.

Prizes and Opportunities for RFOX Metahack 2022 Participants

Successful participants and teams in the hackathon will receive go-to-market support worth US$35,000 for their solution, a job opportunity with RFOX, revenue-sharing opportunities, NFTs, RFOX tokens, Oculus VR headsets, and more.

In addition, our hackathon official partner AIKON is sponsoring a giveaway of 50,000 ORE tokens and one year of ORE ID service free for the winners.

Ben Fairbank, Co-Founder and CEO of RFOX, said, “The launch of the RFOX Metahack 2022 is an important milestone for our team and a concrete step in our continuous mission to move the metaverse forward. We’re excited to work with promising tech builders during this event, and we look forward to empowering them in creating solutions and features that will enrich the RFOX ecosystem and the overall blockchain industry in general. We’re also happy to collaborate with Padang & Co on this game-changing event.”

“AIKON is thrilled to be the official partner of MetaHack 2022 – RFOX’s first hackathon,” said Marc Blinder, the CEO at AIKON and a core contributor to the ORE Blockchain. “We expect this partnership to drive and scale the AIKON developer community through co-hosting hackathons, bring more funding and technological resources to ORE decentralized funding programs for ORE devs, and ultimately accelerate ORE ID’s integration in the years to come.”

RFOX Metahack 2022 Events and How to Apply

The RFOX Metahack 2022 is divided into four parts:

1. Registration. The hackathon welcomes innovative individuals and teams to sign up for the event through this form.
2. Info Session. During this segment, RFOX introduces the hackathon’s overall program challenge statements to participants. Watch the info session here.
3. Virtual Hackathon. This segment includes technical workshops about the RFOX ecosystem, as well as mentoring and networking opportunities from key figures in the blockchain industry. After these sessions, hackathon participants are expected to submit their proposed projects. 
4. Evaluation and Pitch. Following an evaluation process, a select few projects will qualify for Pitch Day, during which the qualifying teams will present their solutions before a panel of judges. Each participant that is shortlisted for Pitch Day will be given coaching and further advice before their presentations. At the end of Pitch Day, winning participants will be declared.

For more details about the RFOX Metahack 2022, please go to this website.

TheTrade: unique decentralized exchange for DeFi enthusiasts 3313

Can a DEX offer more earning opportunities for crypto owners while relieving traders from watching the market 24/7?

Yes, and that’s what is being delivered by TheTrade – an exchange that offers decentralized trading based on isolated liquidity in Uniswap v3.

New opportunities for profit

TheTrade enables DeFi traders to limit orders and trade the derivatives market with different leverage but uniquely.

Previously, when users opened limit orders on Uniswap, they had to closely watch the market and execute the order once the asset reached its price. Now, with TheTrade, order execution duties are delegated to executors. Anyone with an Ethereum account can fill the role and gain commission for their work.

Another earning possibility lies in the liquidation process. When a leveraged position gets undercollateralized, any protocol user can take on the role of a liquidator. They call TheTrade smart contract to liquidate the position and receive a generous commission.

Let’s get into more detail on how exactly both roles fit into the TheTrade ecosystem.

The role of Executor in Limit Orders

When a trader opens a position, they choose the asset they want to sell and the one they wish to receive. They also specify the price they’re ready to pay for the former. Then, the trader signs the transaction in their crypto wallet and pays for the gas and order execution fees.

Next, TheTrade smart contract places the received funds into the Uniswap v3 liquidity pool. The trader can focus on other tasks while the executor monitors the market and the process of liquidity transfer. Isn’t it powerful? Once the price of the desired asset enters the specified range and converts into another asset, they will notify the smart contract to execute the order.

After that, the asset, along with a commission for providing liquidity, goes to the trader’s wallet. And the executor receives the previously mentioned fee for order execution.

The role of Liquidator in Margin Trading

To open a leveraged position, the trader needs to provide an asset, choose a leverage option, and specify which asset they want to use to utilize market volatility. Then TheTrade smart contract adds the required amount by taking it out of the TheTrade isolated liquidity pool.

If the trader’s prediction is wrong and the market goes in the opposite direction, the position has to be liquidated. And this is where any protocol user can take on the liquidator role. They need to call TheTrade smart contract to liquidate the position.

Once the assets are swapped back, the smart contract returns the borrowed amount minus losses to TheTrade isolated liquidity pool. The liquidator receives a robust commission.

CEX-like convenience with DEX security

For a long time, centralized exchanges have been catering to all crypto traders’ wants and needs. Limit orders, multiple leverage opportunities, and full automation allowed professional market players to utilize their knowledge and experience to earn more. Yet, due to centralization, users’ funds became vulnerable to various scamming techniques. If the hacker cracked the CEX, all investors’ accounts would be at risk.

Decentralized exchanges focused on changing that by offering the crypto community total security. However, that left the development of advanced tools for professional traders for the future. But for TheTrade users, the future is already here.

“Our solution is a decentralized exchange platform that combines security, professional trading instruments, and full potential of isolated Uniswap v3 liquidity. With TheTrade, the traders won’t have to lose their time and money watching the market and the progress of liquidity transfer. They get to earn additional funds to provide their liquidity instead.

For users who want to boost their trading power, our platform offers multiple leverage options and low margin commissions” — Andrii Opanasiuk.

Benefits of using TheTrade

  • Professional trading features, including automated limit orders and multiple margin trading options.
  • Complete security with no risk of slippage or sandwich attacks on limit orders.
  • No protocol commissions on limit orders.
  • DAO solutions.
  • Big investors are interested in a long-term partnership with the TheTrade platform.

Join TheTrade in transforming the DeFi industry

The initial DEX Offering is right around the corner, and the project has already secured significant investments. Hence, TheTrade developers are already working on expanding the toolkit and making it even more convenient and profitable for all users.

Are you ready to learn more about the DeFi transforming project? Explore the TheTrade website, and be one of the first to join the growing community of TheTraders!