Lazarus hits cryptocurrency exchange with fake installer and macOS malware 7860

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“[email protected]%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “[email protected]%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “[email protected][.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Hxro Network Announces $34M Strategic Round Co-Led by SIG DT, Jump Crypto and Blockchain Capital 1431

Hxro Network (“HXRO” or “the Network”), a derivatives primitive built on the Solana blockchain, today announced the closing of a $34 million strategic funding round co-led by SIG DT Investments (A Susquehanna International Group Company), Jump Crypto, and Blockchain Capital.

The $34 million HXRO token round was backed by a marquee list of principal trading firms including SIG DT, Jump Crypto, Alameda Research, Chicago Trading Company, and Pattern Research as well as venture participation from Blockchain Capital, Solana Ventures, Coinbase Ventures, Commonwealth Asset Management, CoinFund, Genesis, LedgerPrime, Mantis, and Magnus Capital.

The round follows a $15 million HXRO token deal earlier this year that brought Commonwealth as well as notable macro hedge fund managers Alan Howard and Louis Bacon to the Network.

Hxro Network is a liquidity, risk, and margin primitive for risk-based applications built on the Solana blockchain. It provides critical support for a full suite of on-chain derivative markets. Solana is a key component to the Network, providing censorship-resistant infrastructure with the speed and low marginal transaction costs needed to facilitate derivatives markets at scale.

The Network protocols provide open solutions enabling market makers, traders, operators, and other network participants to quickly create and connect to globally aggregated liquidity. These protocols combine the risk, margining, clearing, and capital efficiencies of centralized derivatives with the open, trustless, and censorship-resistant elements of DeFi.

The Network plans to initially support markets for the most well-known crypto-assets, and will later agnostically extend to markets for any high-fidelity data supplied by network-approved oracles. This scope enables the Network to provide the underlying market infrastructure for everything from crypto and traditional assets to live in-play sports wagering and other event-driven markets.

Dan Gunsberg, Co-Founder of Hxro Network, commented on today’s news: “The notional size of incumbent derivatives markets is still many times that of what is available in DeFi. The mission of Hxro Network is to change that in a way where all market participants, no matter the size of their contribution and participation, can benefit. Today’s announcement is further validation of Hxro Network’s community-based vision to build the most robust and scalable decentralized derivatives primitive available in the marketplace. We’ve coordinated some of the most experienced participants from both traditional and crypto markets to participate in the design and build of the network’s most critical foundational elements. Under normal circumstances these teams would be incredibly competitive with one another. However, they all share a common goal of unlocking the frictions that exist in incumbent markets and creating an open marketplace through the application of decentralized technology. As a community, we are creating a very powerful foundation for decentralized derivatives to scale and become a significant part of the fabric of the global derivatives landscape.”

The Network will utilize a unique staking protocol to facilitate network governance, liquidity incentives, and rewards. Hxro Network value will largely derive from transaction fees generated within the network. One hundred percent of the Network’s value will accrue to staked HXRO token holders, specialized node operators, the network treasury, and developer pools vital to network scaling and functionality. It will compose with Pyth Network as its primary data oracle, and will also easily compose with order books from Project Serum. The Network will integrate Civic as well, which will provide critical primitive layer compliance architecture.

HXRO plans to begin launching v1 network components to Solana mainnet next month and into Q1 of next year. This will include parimutuel markets, serial and quarterly futures, perpetual swap and options.

Metaverse Project DigiNation Completed 2.4 Million Fund Raising and Launching a Squid Game-like Contest Starring CryptoPunks 1622

Metaverse gaming project DigiNation has successfully raised a total of $2.4M from venture capital firms and strategic players in the industry. The investors include: Longhash Ventures, OKEx Blockdream Ventures, Huobi Ventures, RareStone Capital, Spark Digital Capital, Yuanyuzhou Ventures and 21DAO Ventures.

Starting on the Ethereum blockchain, DigiNation is an all-encompassing ecosystem that comprises an extensive virtual gaming client DigiPlayer, playable characters (represented by DigiAvatar NFTs), a 3D design studio called DigiMaker, a web gallery named NFT Live, and an OpenSea-esque integrated marketplace known as DigiMarket.

DigiNation’s innovation on the NFT starts from making the DigiAvatar NFTs with evolving attributes. In the DigiNation metaverse, DigiAvatars NFTs are the indigenous citizens, and these NFTs’ attributes such as Experience and Fame can grow according to the player’s activities in the game.

The public mint of 950 DigiAvatar NFTs on Ethereum was sold out in 8 minutes on 19 Nov.

With interoperability being a stated goal of the DigiNation team, the hope is that DigiAvatar NFTs can access not only the DigiNation but also other metaverses, whether they are on Ethereum or on other disparate blockchains. Similarly, third-party NFTs can be imported to DigiNation via NFT Live. For example, it will be possible to import a 2D picture NFT such as a CryptoPunk – which DigiNation will convert into an animated 3D avatar for use in the game.

The team plans to kick start the DigiNation in December by launching a multiplayer online tournament called Crypto Survivor, a sort of amalgam of the TV series Survivor and Squid Game, inviting reputable NFT projects such as CryptoPunks and Pudgy Penguins to star in the tournament.

Centaurify & The Music Industry Revolution 1980

IMAGE 3

The pandemic has left many industries in ruins—including the music & performing industry. And it should not come as a surprise to anyone as many sectors were already in shambles and required restructuring in order to thrive once again.

The issue that was and still is plaguing the music & performing industry long before the pandemic arrived, was the same as in many other industries—an abundance of middlemen and predatory organizations that sought to maximize profits at the expense of the industry’s sustainability and prosperity.

Instead of restructuring and aiming for sustainability—ill practice continued which has resulted in the music and performing industry to essentially turn into ashes with the arrival of the pandemic.

But from these ashes, a Phoenix started to form, a Phoenix called—Centaurify.

Origins

To understand what Centaurify is—one needs to understand its origins and the exact conditions that were present prior to & at the moment of the birth of Centaurify.

David Rootwelt-Norberg, the CEO and Co-founder of Centaurify—worked in the fashion industry for 18 years, prior to starting Centaurify, and even ran a successful company that dressed famous artists the likes of Post Malone, Isac Elliot, Madcon, Kygo and Pink. That is how David met the famous artist Martin Bjercke commonly known by his stage name CLMD. The work partnership turned into friendship which resulted in David learning all the pain points of the music industry.

Some of these pain points—which Centaurify will address, are the fact that streaming services provide pennies on the dollar to artists that are the foundation of the music industry, and the fact that these streaming services use an algorithm that promotes music according to a very specific set of parameters. This hollow approach destroys the creativity of artists and forces them to essentially all be more or less the same—if they want to succeed and gain popularity on the aforementioned streaming services.

But when the pandemic hit, David learned—through Martin, how broken the music & performing industry truly is. The lesson David learned was simple—because of the lockdowns, Martin lost almost all his income as an artist and was forced to find another job in order to sustain himself. In other words, the lesson is—artists are entirely dependent on live events to make ends meet—otherwise they have to find a second job in order to live, and deliver amazing masterpieces we all enjoy.

To make matters worse, this was a common occurrence even before the pandemic—for artists that are not as famous or successful as Martin—who sold several songs to platinum. This state of affairs hurts everyone—the artists, the streaming services, labels, consumers and essentially every participant of the music & performing industry.

And this is where Centaurify comes in.

Rising from the ashes

The music & performing industry has a chance to be reborn—with Centaurify. The Centaurify team seeks to alleviate all the previously mentioned pain points as well as materialize new concepts that will supercharge artists’ efforts and grant them the financial stability and appreciation they deserve!

The solution is provided in the form of a platform that will facilitate various types of activities. The activities and functionalities that the platform will provide—range from the issuance of event tickets in a decentralized and super-efficient manner, sales of digital collectibles, special perks for fans, preprogrammed and automatically executed royalties distribution—to performing merchandise and clothing drops for fans.

All these mechanisms and activities will be mainly realized with the help of the so-called NFT technology, where the NFT acronym stands for—Non-Fungible Token.

The NFT technology will also solve a burning issue of the music & performing industry—scalping and immense potential revenue losses due to the scalping phenomenon. For those less acquainted—scalping is the action of buying a scarce object such as a graphic card, or a ticket, and selling it at a grossly inflated price. Centaurify will resolve this issue by utilizing smart contracts to program the tickets in such a way that the tickets cannot be sold below or above a certain price threshold. The tickets will be also programmed to provide royalties on each resale in the secondary market.

To create a positive feedback loop within the platform, the Centaurify team decided to provide a portion of the transactions from NFT purchases—to the stakers of the Centaurify token. The ticker for the Centaurify token is $CENT and it will be used to execute all purchases on the platform.

The Centaurify team also decided to provide users and artists the stability that is lacking in the crypto sphere—via a stablecoin that will be utilized within the platform itself.

Thought leadership

David and Martin, in their own words, started the Centaurify project to make the world a better place—through technology and music. David, with his experience as a CEO in the fashion industry that is well connected to the music industry, and Martin with his first hand experience in the music industry—is definitely the type of expertise that a project like Centaurify requires.

Together with the rest of the Centaurify team—they will provide the thought leadership that is desperately needed within the music and performing industry. This thought leadership is already apparent through the steps the team has already taken—such as choosing the advanced & egalitarian Cardano blockchain to build their cutting edge platform and the decision to provide governance mechanisms to artists and their fans.

There is certainly much more to come from this music-based Norwegian startup, which has the vision to make things right by providing a system which will resolve all the issues that have plagued the music & performing industry.

Follow their social media and explore their website—to find out how you can participate in realizing the Centaurify vision.

Twitter: https://twitter.com/Centaurify
Telegram: https://t.me/centaurifyofficial
Discord: https://discord.com/invite/v6ZT7Tg72J
Linkedin: https://www.linkedin.com/company/centaurify
Reddit: https://www.reddit.com/r/Centaurify/

WITTY is Building the DeFi Remittance Platform to Become the Crypto Gateway For Africa 1546

Bitcoin crypto

WITTY is a fully indigenous African Blockchain FinTech Provider built on the Binance Smart Chain focused on developing Products & Services with the aim of creating a Value Chain in the Decentralized Finance Ecosystem [ DeFi ].

The Vision of WITTY is to play the major role in breaking the third world fence by leveraging Permissionless and Trustless Technologies.

The Mission is to Onboard Africa into the Crypto space one step at a time.

WITTY has identified a big problem in Africa which it intends to solve; it’s a low hanging fruit because no other platform is competing in that space.

WITTY seeks to build a platform that will allow African Merchants/Traders and Businesses to buy Crypto with local currency from their Non-Custodial Peer to Peer Crypto Exchange, convert this Crypto to Fiat Dollar on their Remittance platform and be able to wire Fiat to bank accounts in about 100 countries.

So instead of African Traders to source for Fiat Dollar which they get at very high exchange rates from the black market in order to send to their Western and Asian trade partners; they’d rather buy Crypto on WITTY’s Non-Custodial Peer-to-Peer Crypto Exchange at a far much better exchange rate, convert this Crypto to Dollar on their Crypto Remittance Platform and wire to bank accounts of their trade partners in nearly 100 Countries.

WITTY has secured partnership with a Western Financial Institution to make this happen.

The Market size which WITTY intends to serve is large; according to China’s Ministry of Commerce, trade between China and Africa increased by 40.5% year-on-year in the first seven months of 2021, and was valued at a record high of USD 139.1 Billion.

According to the United Nations Conference on Trade and Development, total trade from Africa to the rest of the world averaged USD 760 Billion in current prices in the period 2015 – 2017

WITTY launched its IEO on November 19, 2021 and will end on December 18, 2021 or when the total of 304,000 WITTY Tokens have been sold whichever happens first. The IEO is currently live on P2PB2B Exchange and the native token would be available at a discounted price and given the project’s focus on taking on the African continent the chances of token appreciation are high. There are no whales, this means no single individual can manipulate the market. The IEO buyers will be the early token holders as WITTY has not raised any funds until now, which means you stand to benefit the most from the token appreciation.

The WITTY token has a low supply with a very large Market-size, this means the upside for token appreciation is very high. The total token supply is 20 Million tokens but the circulating supply is 1 Million tokens and will remain so till April of 2023 thereafter there will be 5% emission from the remaining supply.

As you may already know, Africa has a young population who are very active in Crypto Space. Nigeria currently has the largest trade volume second only to the USA, so the WITTY IEO provides an amazing opportunity for Crypto Investors to get in early on this gem.

There are two platforms that needs to be developed for WITTY to go to Market; the Non-Custodial Peer to Peer Crypto Exchange (where the Merchants will buy Crypto with their local currency) and the Remittance Platform (where the WITTY platform integrates with that of their banking partner to provide users a wire transfer functionality).

The Non-Custodial Peer to Peer Crypto Exchange has already been built, the funds raised from the IEO will enable the completion of the Remittance Platform. The Soft cap for the IEO is $200,000 (Two Hundred Thousand Dollars) while the hard cap is $2,000,000 (Two Million Dollars).

Aside from the Non-Custodial Peer to Peer Exchange and the Remittance platform, WITTY plans to offer other range of products and services in its ecosystem;

  • Staking Platform
  • Crypto Debit Cards
  • Crypto Payment Gateway
  • Lending Platform
  • Utility Platform
  • WITTY Fund (A percentage of WITTY Revenue will be kept in this fund with the aim of acquiring complementary platforms in a bid to make the WITTY Ecosystem more valuable and the WITTY Token more profitable for holders).

It is instructive to say that while the primary focus of WITTY is the African Market, users from around the globe can use the platform and of course investors from around the globe can leverage on their unique selling point to invest in this gem now before it becomes very popular.

What Features Make WITTY a Go-To Platform For Africans?

WITTY has forged partnerships with financial institutions to serve a large market; Witty Protocol plans to provide a more flexible and low-cost fee for accessing Blockchain products and services within its ecosystem, demonstrating their commitment to promoting Blockchain and Cryptocurrency adoption across Africa.

With the help of the highly innovative and decentralised system, WITTY Project is positioned to tap into the untapped resources in the African remittance market. Here are some of the key features in the WITTY ecosystem that could attract users to the platform.

  • Non-Custodial/Decentralized: WITTY never holds traders’ digital assets; instead, they give users complete control over their digital portfolio, allowing for true decentralisation. The decentralized nature also eliminates the possibility of a single point of failure.
  • Permissionless and Trustless: WITTY is a protocol-driven platform that is primarily powered by Smart Contracts. This means there’s very little room for human error, if any at all.
  • Enhanced Security: The decentralised nature of the WITTY platform means that users’ Digital Assets are secured better. Each user’s Digital Assets are stored in a third-party Non-Custodial wallet, which also gives users access to their Private Keys.
  • Agile & Empathetic Management: WITTY believes that Africans are in a better position to solve Africa’s problems because they understand the terrain and can relate to the challenges. As a result, they are more determined to change the status quo for reasons other than economics.
  • User Centered Products: Their products are designed to meet the needs of non-tech savvy individuals and to provide solutions to long-standing challenges of financial inclusion for people from all walks of life; their user interface is simple to use and navigate.
  • Active Tribe: WITTY users will be part of an active Tribe of people who are genuinely curious about you and your progress.

The [WTY] token is the primary means of payment in the WITTY ecosystem, and all transactions take place on the Binance Smart Chain network. Fortunately, this is in line with their goal of developing a completely new solution that is free of the limitations of traditional financial infrastructures. WITTY ensures consistency in maintaining the integrity of data, which forms the nucleus of the entire WITTY
ecosystem, to further boost users’ confidence in their products/services.

The project is also aware of some regulatory concerns about the industry’s proliferation of Cryptocurrencies by some bad actors. So they built a robust system with enhanced end-to-end encryption security while maintaining a user-friendly interface to keep them ahead of the curve.

WITTY Brings a Truly Decentralized Ecosystem For Africa

In 2019, the global remittances market generated over US$700 billion in revenue, and it is expected to grow at a rate of 7-8 percent annually over the next ten years. Remittances are particularly expensive for migrants from Sub-Saharan Africa, with payments of 7.45 percent, which is significantly higher than a large proportion of global transactions and nearly double payments in other parts of the world.

The application of Blockchain technology in the finance industry, particularly in remittances and trade settlement, is the antidote to the world’s long-standing bottlenecks in the financial services sector. And, thanks to their validation blocks algorithm, most Blockchains, such as Ripple and Stellar Lumens, can process over 4000 transactions in real-time within milliseconds. The WITTY ecosystem provides a range of products and services that promote financial inclusion while also contributing to a level of transparency and a reasonable fee structure in the payments industry.

WITTY offers a wide range of products and services that promotes financial success inclusion, and to contribute even more to encouraging a certain level of Fees that are reasonable and transparent

To buy WITTY at a discounted price during the ongoing Private Sale p2pb2b.io

To learn more about WITTY visit Wittytech.io

Email: [email protected]
Telegram: https://t.me/WittyClubOfficial
Facebook: https://facebook.com/groups/marketingonfire

MoneyTree: The P2E NFT GameFi & DeFi Platform You Must Watch Out For 1608

MoneyTree

The Non-Fungible Token aka NFTs have become one of the most popular use cases to come out of the crypto world this year. Almost every mainstream brand and celebrity have got involved with NFTs this bull season, however, the NFT ecosystem has evolved a long way from its early days of tokenizing art and celebrity memorabilias. NFT projects are now combining the best of two worlds i.e the video games and cryptocurrencies. Users get to play the game while winning valuable tokens in return that can be exchanged or traded on mainstream platforms. However, most of the projects being launched today are either outright bad or just trying to milk on the trend, as most of these P2E games lack variety and engrossing gameplay, while many others turn out to be outright scams due to the heavy centralization in the project. However, a new P2E NFT gaming project MoneyTree has taken a different approach.

Many projects have a high degree of centralization, which creates a single point of failure while also lowering investor confidence in the security and immutability of assets and NFTs. In the case of NFTs, they are frequently stored on a centralised server or cloud service, which goes against the blockchain principle and allows developers to move and edit the assets as they see fit. Many projects are attempting to enter the Metaverse and P2E race with empty promises, limited functionality at launch, and unfulfilled roadmaps.

Money Tree has taken a fully decentralized approach where all the processes happen entirely on-chain with no external inputs or APIs. Being built on top of the Binance Smart Chain helps in scaling the ecosystem while it also reduces the overall complexity of the games that can be developed. The Money Tree platform includes a number of luck-based GameFi mini-games, as well as 1 million NFTs and DeFi systems, all of which are built into the smart contract and available right away. Money Tree uses Chainlink VRF to achieve true randomness on the blockchain. This allows users to operate on the platform without fear of tampering because all results are tamper-proof and recorded on the blockchain.

The 1 Million NFT Collection

The 1 million deflationary NFTs generated at random are all unique and use over 2500 different assets. The NFTs are available in a variety of rarities, ranging from Common to Legendary. Although there are a lot of Common NFTs, there are only about 30k Legendary NFTs. The better the Attack, Health, and Magic stats are, the rarer the NFT; these will be used in a future game releasing in Q1. Rarer NFTs have rarer assets and colours, giving them a more distinct and special feel. The NFTs have a deflationary effect! Using the NFT upgraded dApp, two NFTs of the same rarity can be burned and upgraded to a rarer version. An NFT lottery is automatically run every week. The names of all NFT owners are entered, and a random NFT is chosen as the winner.

1 million NFTs, hosted on IPFS and pinned with Pinata. There are 5 rarities, 2 NFTs can be burned and combined into one random NFT of a higher rarity. NFTs can be purchased through the built in marketplace or through purchasing a random loot box, 90% of the $MONEY from NFT purchases are sent to a dividends wallet and the remaining 10% is burned. Every transaction incurs a 5% tax: 2% goes into LP, 2% goes into the lottery as BNB, 1% goes to marketing as BNB.

Money Tree entered the Metaverse and P2E blockchain revolutions one month ago, with a large collection of GameFi & DeFI functionality available to investors and players alike from the start. Visit the Money Tree website or join the Telegram community to learn more.

What Separates MoneyTree From Other P2E Projects?

MoneyTree is a robust P2E NFT gaming ecosystem with in-game tokens for players. While most of the other projects out there are still trying to figure out the best of two worlds, MoneyTree is not just offering one game for everyone to play, rather a series of games that would keep all types of traders engaged while winning the rare NFTs and in-game tokens.

A weekly BUSD lottery is available to holders of the $MONEY token. The jackpot grows over the course of the week and is equal to 2% of the total volume. The lottery pays out in BUSD, so the price of the token is unaffected. Every week, all holders are automatically entered for free. The higher the number of $MONEY tokens in a wallet, the better the chances of winning. The entire system is decentralised, and the four weekly lotteries have collectively paid out more than $100,000.

The $MONEY token serves as the platform’s underlying currency, and it can be used to play all of the available mini-games. These mini-games are all based on luck and are statistically fair, which means there is no house edge and players keep 100% of their winnings. Many of the games can be compared to a decentralised casino; for example, the game Gridlock is similar to Roulette but without the zero. This means that players can play hundreds of games and their tokens will stay the same on average. Because all of the processes are built on the blockchain, users can interact with the Money Tree platform via dApps on the website or directly on BSCScan if they prefer.

Money Tree and Coinmarketcap.com recently ran a series of promotions in which users could redeem Coinmarketcap Diamonds for a chance to win Money Tree NFTs and $MONEY tokens. Both events drew a huge crowd, with all Money Tree mystery boxes selling out in a matter of seconds. Money Tree allows users to buy their own loot boxes using either BNB or $MONEY tokens directly from the website. These loot boxes ensure an NFT of Uncommon to Legendary rarity. The Money Tree team have also recently locked the developer wallet until 2024.

To learn more about MoneyTree visit Moneytreecoin.io

Twitter: https://twitter.com/moneytreecoin
Telegram: https://t.me/moneytreecoin
Docs: https://en-guide.moneytreecoin.io/

CoinGecko Joins the RFOX VALT as a Marquee Client as It Enters the Metaverse 1604

CoinGecko

The World’s Largest Independent Cryptocurrency Data Aggregator to Explore New Opportunities in the Metaverse.

25 November 2021 18:00 Vietnam, Ho Chi Minh (RFOX)—Today, metaverse company RFOX (RedFOX Labs) announced its plans to welcome CoinGecko to its virtual world, the RFOX VALT, as a Marquee Client. The RFOX VALT, a virtual world focused on shopping, retail, and entertainment experiences, will introduce CoinGecko to the metaverse space and offer its users, community, and clients a chance to interact with its products and services in virtual reality (VR).

“CoinGecko, the largest independent cryptocurrency data aggregator, will soon be appearing in the RFOX VALT in VR.”

Founded in 2014, CoinGecko has a mission to democratize the access of crypto data and empower users with actionable insights. In addition to providing valuable insights, cryptocurrency reports, and numerous publications, CoinGecko is also considered a thought leader in the blockchain space, hosting numerous events and meetups globally.

“CoinGecko is truly a market leader in their field and a highly respected company in the crypto space,” said Ben Fairbank CEO and co-founder of RFOX. “We have had nothing but frictionless experiences with the team and have watched their rise over the last few years to become a household name in the crypto market. It gives us great pleasure to see such a progressive company join the RFOX VALT.”

With the recent announcement by Facebook stating they would spend upwards of $10 billion to develop a metaverse, the topic has become hot news globally. For companies like RFOX, who have been building their metaverse since 2018, this is welcome exposure and, more importantly awareness, for new users on what a metaverse is and does.

“The metaverse sector is growing at a very rapid pace. We at CoinGecko are excited to participate in RFOX VALT and build in this decentralized metaverse. We will inevitably be spending a lot of time in the metaverse very soon and can’t wait for this future to come along,” said Bobby Ong, co-founder and COO of CoinGecko.

CoinGecko will join the RFOX VALT Callinova quarter as a marquee client. CoinGecko will be able to offer its products and services to its users through new mediums, including VR.

About RFOX

Based in Southeast Asia and established in 2018, RFOX is a blockchain metaverse company. Building in the fastest growing sectors of the internet economy, RFOX builds interoperable companies and applications that are showcased in a virtual world called the RFOX VALT. RFOX has established ventures in RFOX Games (a play-to-earn NFT Gaming platform), RFOX Finance (DeFi Protocol), RFOX TV, RFOX Media (which acquired MYMEDIA MYANMAR with 13 million active users), and RFOX NFT. The RFOX ecosystem is powered by its currency token RFOX and rewards users through its VFOX rewards token.

About CoinGecko

Since 2014, CoinGecko has been the trusted source of information by millions of cryptocurrency investors. Its mission is to empower the cryptocurrency community with a 360-degree overview of the market. CoinGecko provides comprehensive information from thousands of data points such as price, trading volume, market capitalization, and more. It currently tracks over 11,000 crypto assets from over 500 exchanges worldwide. For more information, visit https://www.coingecko.com.