Lazarus hits cryptocurrency exchange with fake installer and macOS malware 7603

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“[email protected]%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “[email protected]%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “[email protected][.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Blockchain and NFT technology Applications to become New Growth Drivers for Glory Star 17968

Glory Star New Media Group Holdings Limited (NASDAQ: GSMG) (“Glory Star” or the “Company”), a leading digital media platform and content-driven e-commerce company in China, today announced the commencement of the commercial applications of its blockchain and non-fungible token (“NFT”) technologies through its digital copyright management platform (the “Platform”). The Platform will allow Glory Star to further explore business opportunities in NFT assets as potential new growth drivers for the Company.

Interest in NFTs derived from blockchain technology is growing rapidly. According to the latest data from nonfungible.com, the value of the entire NFT market has grown from less than $41 million three years ago to $338 million at the end of 2020, representing an increase of 724%. Furthermore, with the development of the digital global economy, production, operation, consumption, entertainment, and lifestyles are rapidly undergoing a digital transformation. This has led to data becoming one of the most important assets in this new digital economy. Consequently, new challenges in data authentication and authorization have also become important issues to consider, and blockchain technology could play a significant role in alleviating these challenges.

Glory Star’s Platform has been put to use in the Company’s copyright management system for its CHEERS video platform as well as the SaaS, point-redemption, and live-event modules for its CHEERS e-Mall. The Company’s Platform leverages cutting-edge technologies such as blockchain, big data, and artificial intelligence to store the key data for digital intellectual property (“IP”) in a blockchain database. The immutability, traceability, scalability, and transparency of blockchain technology enables the Company’s database to verify the integrity and security of these assets through all registration, search, and other processes. This ensures the credibility of the digital IP and the traceability of user operations to ensure a trustworthy and authoritative copyright platform.

Furthermore, the Company’s Platform offers effective tools for users to streamline copyright validation, storage, protection, and other transactional processes for digital assets to safeguard against copyright infringement. It also provides effective solutions for industry challenges in copyright verification, monitoring, and evidence collection. The Platform also provides digital asset blockchain certificates to validate copyright, deploys a digital-asset DNA database for cross-checking information and generating verification reports to monitor copyright, and leverages blockchain technology to enable the collection of ownership data, confirm the digital asset’s ownership online, and execute copyright transactions to generate funds by trading asset-backed securities through the blockchain. As previously announced, the Company has signed a cooperation agreement with Beijing Minsheng Art Museum to promote the application of NFT technologies for digital content. Both parties plan to further explore the feasibility of minting joint NFT assets and participating in the trading of NFT artwork and other collectible digital assets. In addition, Glory Star will integrate a new category of cultural and art collectibles on the Company’s CHEERS e-Mall platform, which will provide a boost to the circulation and promotion of Chinese artwork and further improve the content ecology on CHEERS applications.

Mr. Bing Zhang, Founder and Chief Executive Officer of Glory Star, commented, “As an innovator in the entertainment industry, we have always actively monitored the digital development of culture, media, and technology with great interest. Our commitment to R&D and investment in new technology has always been critical to our strategy to integrate our product ecosystem with the new digital economy. We are confident that such efforts will enhance the competitiveness of our products and fortify our industry leadership. Going forward, new applications for blockchain technology will be an important focus for us to promote rapid growth not only for Glory Star but for the entire digital content industry as well.”

Plethori is Offering Investment Opportunities into Leading Insurance, NFT, and Oracle Sectors 13788

Plethori

London, United Kingdom / 23 May 2021 / Plethori, a cryptocurrency ETF investment platform, is offering investment opportunities into leading Insurance, NFT, and Oracle sectors.

In the crypto world, investment opportunities are plenty, but can appear scattered and complex. Plethori plans to help solve this problem. As crypto becomes more mainstream, emerging projects are combining the best of the traditional and decentralized markets in order to offer the greatest investment opportunities to serious investors. One such company is Plethori, a one-of-a-kind cross-chain investment platform built on the Ethereum and Polkadot blockchains. Their goal: to deliver Cryptocurrency Exchange-Traded Funds (ETFs) to the masses via their platforms.

Plethori is a Cryptocurrency ETF Investment Platform that allows the open trading and creation of trustless ETFs by utilizing blockchain technology and layer 2 solutions. The service will allow investors to deposit capital in the form of PLE tokens and invest in a wide range of ETFs enabling investment into entire industries in cryptocurrency such as insurance, oracles, NFTs, Derivatives, Polkadot ecosystem projects, and many more.

The cross-chain investment platform recently partnered with Shield Finance — a multichain DeFi insurance aggregator. Shield Finance has developed an insurance aggregator which enables investors to protect their portfolio against ‘black swan events such as hacks, exploits, rug pulls, market crashes. The partnership will provide Plethori’s users with the power to insure their investments against negative price movement. Shield Finance will deploy Market Crash Protection contracts to cover the $PLE token. Holders will be able to insure their tokens against loss, giving them the ability to sell their $PLE at a guaranteed price (irrespective of current market price). Plethori also has plans to explore deploying the same insurance contracts to cover their range of available ETFs.

Plethori Brings Financial Inclusiveness

Soon to be launched on the ethereum layer 2 solution Optimism, Plethori will be able to offer their users ultra-low transaction fees and fast trading whilst maintaining high security. The platform shall also provide ERC-721 integration, rewarding ETF creation and trading achievements and gratifying investment and trading. Plethori will utilize the Ethereum and Polkadot ecosystems, empowering traders by providing a wide range of ETF tokens to trade and invest in. This will allow for the leveraging of technology from both blockchains. The service will allow investors to create fully decentralized ETFs that can then be traded which will earn creators a share of the subsequent transaction fees. The leaderboard system will reward top-performing fund creators with NFTs which give perks on the platform and partner project platforms such as early access to releases and higher staking APY.

Some of the key features on the platform include: Metamask Wallet connectivity for trustless non-custodial transactions; Blank Wallet integration for secure, private transactions; ultra-low fees on transactions; margin trading; leveraged trading; advanced charting features; detailed asset information; cryptocurrency market analytics; portfolio management tools; PLE token staking and farming and a lot more.

Plethori Governance

Plethori Governance is the governance platform and a community forum where PLE token holders will be able to submit proposals and vote on platform changes which will be vetted and executed by using governance contracts. The community will be able to communicate with other equally dedicated members in the tiered groups on the platform and coordinate and propose changes to the Plethori ecosystem.

The governance structure will be a complex but fair tiered system with each holder initially holding an equal single vote and their vote growing in value in response to certain factors relating to usage and involvement in the ecosystem.

The metrics that will influence the governance tier level and strength of vote are: length of time holding PLE; length of time staking/farming PLE; frequency of usage of the Plethori platform; level of engagement in the Plethori Governance platform, and; community contributions.

This system allows for community control, which holds true to the original cryptocurrency ideals of decentralization and democratization.

The PLE token will additionally act as a governance token for the platform giving the community the power to direct the development and advancement of their goals. PLE token holders will be able to vote on the platform to determine fund parameters and new features. They’ll also be able to influence decisions concerning the project such as ETF asset rebalancing or listing/delisting of assets. The changes proposed will be vetted and then voted on through the governance platform. Any changes will be applied automatically via smart contracts.

Conclusion

Plethori is bringing an era of financial inclusiveness through its cross-chain investment platform that offers several investment opportunities via Defi to one and all. Their interoperable platform allows for seamless trading between the Ethereum and Polkadot ecosystems.

The platform guarantees more than simply an aesthetically thought-out UI but also an investor-centric feel to create the perfect blend between form and functionality.

Social Links :

Twitter : https://twitter.com/plethori

Telegram : https://t.me/plethori

Medium : https://medium.com/plethori

ARNO Token is a Real Nano Technology Project for Investment 15716

Arno

Today, it is vital for businesses to cut and stabilize costs as much as possible. For industrial systems and processes, energy conservation is becoming a top priority. Art Nano (ARNO) is focused on integrating the use of carbon nanotechnology for energy storage and battery improvement technologies at a time when natural and non-renewable resources are rapidly depleting. Aside from depleting resources, energy storage is a significant concern, as the majority of losses occur during storage and transformation. ARNO has created carbon-based products that, when combined with current battery technology, can provide significant energy savings. The business has prioritized expansion and the creation of a decentralized and efficient distribution system that includes defi integration.

ARNO token project is quickly gaining traction as a promising investment opportunity. This initiative is a focused endeavour to finance the implementation of a scientifically sound, cutting-edge technology into long-standing supply chains in order to update existing and outdated systems that haven’t yet lost their utility. The ARNO token is heavily used in the project’s economic framework, and it serves as the centre of gravity for the entire ecosystem. Also, the most widely used cryptocurrencies, such as Bitcoin and Ethereum, would be excluded. In the project and all of its elements, only ARNO will be used. It’s a high-liquidity project that takes place in the real world.

ARNO token has done its utmost to ensure that the actual state of affairs in the project corresponds to the roadmap and preparation that was done at the outset in order to fulfil the obligations to all the partners. The project is on route to meet its deadline and is on track to achieve its target. The truth is becoming more apparent every day as a result of recent events.

ARNO Joins Forces With The German Patent Office

ARNO has signed a memorandum of understanding with the German Agency for the Protection of Rights and Intellectual Property. It is this entity that will represent the entire project’s interests in matters such as patent filings, trademark registrations, and so on. This is a watershed moment for ARNO, the up-and-coming secondary power solution provider using Defi and Nanotechnology.

The incorporation of a German trademark would include much-needed intellectual property registration, enabling them to move forward with the mass production of their carbon nanotubes, which could be combined with existing battery technology. Furthermore, in the future, they will be responsible for filing patent applications, as well as their registration and receipt, trademarks, and intellectual property in general.

Integrated PayPal Payment Option

In the field of partner fees, there have been several improvements. The PayPal-based payment acceptance system is fully operational after almost three weeks of adjustment and clarification of the complexities, which we consider to be a significant accomplishment. This platform now has the PayPal payment option, allowing customers to buy and sell the native token, ARNO token, with ease. Provided that it would work with defi, this would also help them simplify the payment process.

Successful negotiations with Monbat Groups

ARNO is also looking for potential future partners, such as lead-acid battery suppliers, as well as partnering with the Bulgarian government to secure space for the project’s laboratory and production base. In Bulgaria, a management company has already been established to oversee the project’s implementation throughout the European Union’s territory.

Furthermore, in Bulgaria, talks with the Monbat group of companies, one of the largest European manufacturers and distributors of lead-acid batteries, have been fruitful over the last two weeks. An agreement was reached on our project, receiving a portion of the shares in a joint venture for the development of carbon nanomaterials produced by our company at specially designated sites in Bulgaria and the incorporation of technologies developed by us into the final product’s production process.

Samples of the carbon nanomaterials have already been sent for testing, and models of batteries will be manufactured specifically for this project in the near future, with testing of working samples beginning at the factory according to agreed international standards. In addition, the produced samples will be sent to our laboratory for a thorough examination. Furthermore, talks with the Advanced Research and Technologies company are underway to begin designing installations – reactors for the serial processing of carbon nanomaterials that will be used – as well as developing design estimates. This contract is expected to close soon as well.

Conclusion

ARNO is, without a doubt, the future of authentic nanotechnology projects that are ideal for investment. It’s a project with a lot of liquidity that occurs in the real world. The project has already gained traction, and deals are being closed on a regular basis. ARNO Token investments are investments in the high-tech manufacturing of truly essential goods. The project’s benefit is ensured by access to the accumulated funds and the physical development of the project’s capitalization value. ARNO’s promises are becoming a reality with each passing day.

Stay Updated, Follow ARNO on :

Twitter | Telegram | Facebook | Linkedin | Instagram | Youtube

ZHU Announces Plans to Build NFT-based Fan Community 17071

ZHU - Photo Credit: Joey Vitalari
ZHU – Photo Credit: Joey Vitalari

Today, ZHU reveals the details of his plan to build an NFT-based fan community. Beginning with the DREAMROCKS NFT Collection exclusive to Red Rocks concert-goers, an open Zhuman Community token will also be made available for fans worldwide. Fans who attended ZHU’s six-night sold out run at Red Rocks that concluded last night are able to register for community tokens as well as limited-edition moment tokens that include exclusive content from the show they attended. To redeem, showgoers should register using the same email they used to purchase their concert tickets.

Fans of ZHU worldwide will also be able to redeem an open Zhuman Community token. The Zhuman Community token will grant holders access to exclusive content and events to be announced in the coming weeks. ZHU adds, “The fans have shown up so hard these last two weeks at Red Rocks, I’m excited to give something special back to them while also making sure all of my Zhumans worldwide can be a part of the community we’re building.” All DREAMROCKS tokens will be minted and issued on Saturday, May 15th at 12 PM ET. All Zhuman Community tokens will begin minting in the coming weeks. Fans should visit ZHU’s page on the Yellowheart Marketplace for more information and to redeem.

The DREAMROCKS NFT Collection from ZHU is being issued by Night After Night and Yellowheart, the partners behind Kings of Leon’s NFT YOURSELF album release. These releases make ZHU the first artist to build a fan community by issuing free community tokens and the first to issue tokens tied to a live experience.

Casey McGrath, CCO of Night After Night adds, “With this offering, ZHU is setting the tone for how artists should enter the space and use NFTs to create a fan-first model that establishes a long term direct-to-fan pathway.”

“For YellowHeart, democratizing the modern live music experience is our mission. As in-person events start to come back, introducing the many ways NFTs can transform and amplify live music for both artists and fans, in a way that’s better for the environment, is all the more exciting,” said Josh Katz, Founder & CEO of YellowHeart. “It was important to ZHU to have both a carbon-neutral process, as well as offer tokens that are gas-free, so all of his fans could participate in this iconic drop. Since YellowHeart uses Ethereum Layer 2, which uses proof-of-stake, it is the most efficient blockchain solution in terms of gas fees and energy consumption.”

Crypto Investing Re-invented Following BlackDragon’s New Platform Launch 15832

BlackDragon

BlackDragon, the early-stage crypto investing fundraising group, has launched its new decentralized blockchain-native Platform this (Sunday, the 9th of May 2021).

This milestone will make investing both more convenient and simpler for those seeking the highest returns for their capital. With over 1,000 community members and an average ROI of 40x in 2020, BlackDragon has enabled everyday investors to see returns previously only reserved for those with privileged access, extensive crypto networks, and the ability to put in countless hours of dedicated research.

Our newly developed platform is a crypto investors’ one-stop-shop where investors can take comfort knowing that the experienced BlackDragon team has vetted projects and conducted the appropriate due diligence.

The cohesive and beautifully designed app compiles the various projects with the key fundraising data associated with each and provides links to research, key socials, and ROI on previous projects. All the user has to do is bridge their tokens, lock them up to calculate their pro-rata percentage amount, and decide which projects they would like to invest in. Then, with the push of a button, their capital is allocated to prime early-stage projects of their choice.

Apart from sleek UX/UI design, which allows users to easily navigate and search through deals, the app’s biggest innovation is that it runs on the xDAI network, making transactions cheaper, faster, and more efficient. The mechanism allows xDAI tokens to be bridged to and from the ETH blockchain.

And this is where the BlackDragon Token comes into play. The BlackDragon Token (BDT) is an integral part of the BlackDragon investing ecosystem, as it grants access to the platform itself and is used for calculating investment allocations. The way it works is this – if you want a higher project allocation, you need to lock more xBDT.

It is important to note that xBDT tokens can be locked by users via integrated smart contracts, meaning each user gets to decide how many tokens they want to lock/unlock for a certain period. Subsequently, the tokens are locked for 6 months, stimulating stable price appreciation.

BlackDragon currently offers access to their investing services based on the following levels:

Level 0

White Dragon

250+ BD Tokens

Access to 60% of deals

Level 1

Green Dragon

1,000+ BD Tokens

Access to 90% of deals

Level 2

Yellow Dragon

5,000+ BD Tokens

Access to 95% of deals

Level 3

Black Dragon

10,000+ BD Tokens

Access to 100% of deals

If you’re considering getting into crypto investing, but have no idea where to start, or if you’re a seasoned trader and want to save time on research and gain exclusive access to preliminary deals while enjoying a premium UX/UI experience, then BlackDragon is your gateway to convenient and successful crypto gains.

Hashflow Announces $3.2M Seed Round To Bring Professional Market Makers to DeFi, Backed By Dragonfly Capital and Electric Capital 16480

Hashflow, a decentralized exchange connecting DeFi traders with top crypto market makers, has closed a seed funding round of $3.2 million from leading venture capital firms and angel investors. The round was led by Dragonfly Capital and Electric Capital, and joined by IDEO Ventures, Alameda Research, Metastable, Galaxy Digital, Unanimous Capital, and angels including Balaji Srinivasan, Kain Warwick, & Ryan Sean Adams.

Decentralized exchanges on Ethereum have seen rapid growth over the past year with over $215 billion traded on DeFi alone in Q1 2021. This growth can be credited to the popularity of Automated Market Makers (AMMs) which catalyzed DeFi’s explosive growth by offering a simple and permissionless on-chain trading experience. Hashflow builds upon this foundation laid by AMMs, by connecting DeFi traders with top crypto market makers. Using Hashflow, traders can receive price quotes directly from market markers and broadcast trades on-chain using Web3 wallets in a fully trustless manner. By replacing AMM bonding curves with professional market makers, Hashflow offers traders better prices, zero slippage, & the lowest gas costs of any decentralized exchange on Ethereum.

For market makers, Hashflow provides access to the expanding DeFi market while allowing full control over their inventory and pricing strategies. Until now, market makers have had to deploy capital in public liquidity pools, use pre-defined pricing functions, and pay heavy gas fees to change strategies on-chain. With Hashflow, market makers can use bespoke pricing strategies and bridge them on-chain using digital signatures. This gives market makers full control over their capital, and flexibility to adapt to market conditions, using strategies informed by years of experience in centralized markets.

Jon Kol, Director at Galaxy Digital, a leading cryptocurrency investment firm and market maker, commented: “Hashflow is the first project we’ve backed that seamlessly allows market makers to quote prices effectively to DeFi traders.”

Hashflow launched its closed private alpha product this week, with market makers offering price quotes to traders on Ethereum mainnet. In the coming weeks, Hashflow plans to integrate more market makers, and add additional asset pairs that dominate on-chain trading volumes. General audiences will be able to access Hashflow and trade on-chain with market makers by the end of Q2.