Lazarus hits cryptocurrency exchange with fake installer and macOS malware 8998

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“[email protected]%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “[email protected]%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “[email protected][.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Interest-Bearing Bonds-Backed Tokens: Generate yield using tokens backed by sovereign bonds 2657

0 2023 01 14 в 14 44 50

Vaduz, Liechtenstein. January 13 2023. Decentralized Finance Innovator Mimo is launching “KUMA Protocol”: the first DeFi protocol issuing tokens backed by regulated NFTs, themselves backed by sovereign bonds. This launch comes as the FMA (Financial Market Authority Liechtenstein) has approved Mimo for providing blockchain-related services since January 2022.

KUMA tokens, built as a smart contract compatible with most blockchains, are designed to provide holders with a reliable source of passive income through the accrual of interest on their holdings.

KUMA Tokens are NFTs representing bonds that KUMA Generator (a decentralized product owned by KUMA DAO and governed by the MIMO tokenholders) can accept as a backing to issue KUMA Interest-Bearing Tokens, a form of synthetic stablecoins that automatically accrue interest. The balance of these tokens grows in users’ wallets without any action required, matching the interest rate paid by the bond backing them, minus commission. Apart from the interest, the tokens behave like regular stablecoins, allowing them to be integrated freely into the broader crypto ecosystem, like DeFi, GameFi, and NFTs platforms.

The launch of this protocol also has the potential to revolutionize the way bondholders receive interest. Traditional bonds typically pay out interest semi-annually, annually, or even when reaching maturation. However, because KUMA Interest-Bearing Tokens use smart contracts, interest can be paid out to holders regularly, every 4 hours by default, providing a more consistent income stream for investors while not involving any claim process.

In the background, Mimo Capital AG handles the bonds and offers simple redemption to the users. Moreover, a smart contract managed by the KUMA DAO provides infrastructure for its community to swap or roll the NFT bonds over, ensuring smooth operation when a bond reaches its maturity date or the issuing authority publishes an updated rate.

To date, a few other efforts of bond tokenization have started. However, Mimo has the advantage of being the first regulated in the European Economic Area (EEA), providing tokens allowing its users to earn interest while benefiting from the safety of their favorite custody solution and the peace of mind coming with a fully regulated product.

Furthermore, KUMA DAO’s approach naturally provides fractionalized access to the benefits of bonds, lowering the entry barrier to investment and opening the door to 24/7 settlement, trading, and global liquidity. Example applications include savings accounts, protocol treasuries, and individual wallets.

Following the tokenization of sovereign bonds, Mimo will leverage KUMA to provide other assets, such as corporate debt and funds.

So far, all of the Mimo partners, including Polygon, Fantom, Swissborg, SingularityDAO and Akt.io have indicated their intention to use KUMA.

“We are thrilled to offer our users a new way to earn passive income through tokenized bonds,” said Claude Eguienta, Founder and CEO of Mimo Capital. “With this innovative mechanism and backed by a diverse range of real-world assets, we believe that interest-bearing tokens are poised to become a leading tool in the Decentralized Finance space.”

To learn more about Mimo and the KUMA Protocol, visit https://mimo.capital & https://kuma.bond

About Mimo

Mimo is a leading blockchain company that built a multichain DeFi protocol providing a Decentralized & Multichain Euro Stablecoin and developing Blockchain Powered Financial Products. With a focus on user-friendliness and accessibility, Mimo is committed to bringing the benefits of decentralized finance to a broader audience, including business and retail investors.

MEDIA CONTACT:
Mimo Capital
Name: Yacine Farouk, CMO
Email: [email protected]
Website: www.mimo.capital
Country: Liechtenstein
City: Vaduz

The CONG Token is the New Crypto Hype 2470

The world is fast changing and becoming more decentralized as it gets more digital. Decentralized Autonomous Organizations (DAOs), blockchain, DeFi, web 3.0 and cryptocurrencies are all growing in popularity.

How to employ all of these new technologies in a way that benefits society is now the problem.

In terms of finance and investing, these new technologies offer a rare opportunity to provide outstanding private market investment opportunities to retail investors around the world. Until now, these opportunities could only be accessed by Venture Capital (VC) and Private Equity (PE) funds.

The Conglomerate Capital (TCC) is the unique web3, BEP20 blockchain-based investment and funding platform, governed by a DAO, from which disruptive startups as well as SME (Small and Medium Enterprises) businesses will raise capital, where investors will be able to access VC and PE outstanding opportunities through the CONG token.

Additionally, the TCC and CONG ecosystem is the first and only to develop governance and investing features to lead and safeguard investors through the adoption and use of new market features and to rely on the knowledge of top-tier VC and PE industry executives to influence how people allocate their capital.

“At TCC, we seek not merely to democratize investment options, but to streamline investment process for investors and fundraising for Companies,” says Diego Queirantes, Founder and responsible for deals structuring. “We are prepared to revolutionize the World of Investing,” he continued. “Investors are more than welcome to go along for the voyage to reshape the way people invest their capital.”

The creator of The Conglomerate Capital kept people in mind when developing the Company and its digital token, CONG. Yves Civolani, Founder & CEO and former private equity industry executive, came to the terrible realisation that because the average person lacks basic financial knowledge, they are compelled to spend their life’s work savings on substandard opportunities.

His parents have never had the opportunity to engage in VC and PE investments and earn lucrative returns as regular retail investors.

The TCC concept was born out of his desire to make these opportunities accessible to regular people by assembling a conglomerate of companies run by global minnows.

“Before beginning to work on the project’s development, a thorough examination of VC/PE, crowdfunding and crypto launchpads sectors was necessary,” said Yves. “We wanted to comprehend concerns and issues from the viewpoints of all participants: investors, business owners/companies, and platforms.”

Before founding the project, Yves worked for more than a decade for tier-1 global private equity funds. Therefore, throughout his career, he learned by doing what the problems are for startups and SMEs to raise capital from either equity or debt securities.

With all of this in mind, TCC seeks to solve these issues by decentralising the VC and PE infrastructures while also imposing a cycle of accountability and mutual interest alignment.

In order to give the CONG token value, based on the founding team’s experience in VC/PE/M&A environments, TCC intends to bring various industries features to the cryptocurrency world through the use of DeFi and blockchain, under a DAO governance structure. This is in line with the main attributes of the TCC & CONG ecosystem. Investors are encouraged to hold onto their tokens and use CONG as a form of asset storage.

To secure more investor consensus and a more democratic funding procedure, TCC offers many more advantages than the conventional paradigm, including zero-knowledge-proof authentication, decentralised data storage, trade agreements, and more.

The TCC white paper states that priority would be given to early investors when allocating investments. In return for CONG, the platform will receive USDT, BUSD and USDC. The only token in the whole ecosystem, CONG, will finance all businesses. Compared to other crypto launchpad platforms, that is an important difference as they all face alignment problems due to the fact that funded projects each launch their own tokens, competing against each other for investors’ capital allocation.

According to the roadmap, fiat and credit cards will also be accepted by TCC along the project development. While CONG cannot be traded in a DEX or CEX (Decentralized or Centralized Exchanges), its price will rise if a deal opportunity passes through the platform because, based on the DAO mechanism, holders will decide what the token price will be for each funding campaign. This will set a buy pressure on the token.

The CONG presale will begin on Jan. 16, 2023, at 9:00 am GMT with a token price of USDT 0.0025. The sale will occur directly from the project’s website. Therefore, it is the best time to invest and join the ecosystem. Based on the hype already generated when the project was announced, the second presale round, which will start as soon as the first fulfils, will have CONG token price increased by 20%.

The management team at TCC has extensive expertise in the investment industry as a whole, while the development team is made up of a group of blockchain and web developers, embracing the most potent and recent technical development in the cryptocurrency sector.

The TCC team has years of expertise in the sector and has raised more than USD 200 million using a variety of mechanisms, including debt, equity, and convertible debt. The team has also completed many M&A transactions in recent years. By assisting in the review of funding applications, all this experience will work for the ecosystem’s benefit. They are all in agreement and aligned with the investors as the team is compensated by CONG.

For more information on The Conglomerate Capital, check the links below.

Company Website: https://www.congcap.com
Telegram: https://t.me/congcap
Twitter: https://twitter.com/ConglomerateCap
LinkedIn: https://www.linkedin.com/company/the-conglomerate-capital

Web3: Crypto and NFTs are Not Dead – They’re Just Getting Started 2832

real_7cb

It’s no secret that the cryptocurrency boom of the last few years has currently ground to a halt and there are many critical voices which are already trying to put the nail in the coffin of Bitcoin and other cryptocurrencies. However, we are here to let you know that cryptocurrencies and every other blockchain-based technology are here to stay, and they are all part of a bigger picture that you need to understand in order to future-proof your technology and your revenue model. This bigger picture is Web3.

What is Web3?

Web3 is quite simply the next step in the evolution of the internet. When the internet started with only a few web-pages, those were essentially mostly static pages with text and images, made only to transmit information; this was Web1, or the “read-only web”. Web2 was the next generation of the internet, based on interactivity, social-media, and all in all user generated content, catered for the user experience. The major drawback that emerged of Web2 was that this gave the power to hold data to big companies, massing the power and knowledge on the internet to only a few major companies, now commonly known as the FAANG (Facebook, Amazon, Apple, Netflix, Google). Web3 is the next meta of the internet, the new way of modeling interactions on the web in a decentralized manner, giving the power over their own data back to the users, without needing a middle man, such as a big company to do so.

Our company, Plavno, is one of the backbones at the origins of WEB3 and has worked with giants from all industries, such as Mercedes-Benz or BelVeb Bank to provide technology development solutions. The Web3 subject is somewhat of a hot potato, with many skeptics singing its demise before it has even become mainstream, but being an early adopter on revolutionary technology is never easy. What we can be sure of, is that innovators always have an upper hand in their vision for the future, which is why Plavno has always sought to implement future-proof technology and business models. This is why even the biggest market giants trusted us to thrust their solutions into the future, and why you shouldn’t sleep on Web3 and the opportunities it brings!

How does Web3 revolutionize the internet?

Web3 quite simply aims to revolutionize the internet by decentralizing the interactions between people and businesses on the internet. It all starts with blockchain, a decentralized safe model of sharing data on the internet. This data is now no longer hosted centrally on one server administered by a big company, but is now hosted and verifiable over a number of different sources, the users. This decentralized model means that, on the one hand, users no longer rely on big companies to host their data and, on the other hand, they gain control over their own data. This applies to a myriad of fields: instead of making fiat payments that go through banks, payment processors and administrators, you can now make instant cryptocurrency payments, verifiable on the blockchain and without the need to pay any middle men and companies. Instead of buying art and tickets from retailers that monopolize the market (such as the famous case of Ticketmaster), one can now go and buy new forms of digital art, such as NFTs (non-fungible tokens) directly from the artists, including tickets and virtual experiences, such as VR events and content. Instead of using storage from big companies like Google Drive or Microsoft OneDrive, you can use decentralized storage solutions that split your data over multiple sources so that if one fails, you always have the guarantee of many others. Web3 is all about giving power and control back to the users over their own data, their modes of payment, their content, and their creations.

How can you make money on Web3?

Making money has never been easier than on Web3. From a business perspective, entrepreneurs and even just individuals can start their own businesses, monetize their own skills and provide services using the Web 3 model. You can now create your own e-commerce business based on blockchain technology, eliminating the need to pay fees to a third-party company or to create your own website in which the commercial relationship is trust-based. There is no need to question the trust between the buyer and the seller if the contract is decentralized and carried out using immutable automated codes, such as smart contracts. You can then enhance your commerce business by adding NFTs, services driven by AI, safe identity management with customer authentication mechanisms that are  of unprecedented safety compared to Web2 standards. Even if you are not entrepreneurially-minded and want a more standard job, Web3 companies are currently the place to be; creating future-proof products with cutting-edge technology, a very liberal remote-based model and new benefits such as tokens, bonuses, a fast-tracked career progression, as opposed to the slow hierarchical tedium of large companies where you cannot personally make a difference. Finally, you can choose the path of creating your own cryptocurrency startup or marketplace, which is exactly what we help our clients do.

How to create your Web3 business or Web3-proof your company?

Plavno has unprecedented experience in creating Web3 IT solutions. On our last project, we helped our client save more than $400k in initial investments on the launch of a crypto-startup which reached more than 1 million onboarded users in the first year. How do we do this? The secret is in our dedicated software development team. Plavno has 14 years of experience in the field of dedicated software development. Our teams create Web3 software solutions from scratch, dedicated to each client’s needs. And it’s not only the technology that is future-proof, but also all the aspects of the business model: Plavno works on the basis of outstaffing and outsourcing projects, so that solutions can be created remotely and efficiently, taking full advantage of technical advancements in workflow solutions. We use the SAFe methodology to ensure that our work is always transparent and clear to the client, that their needs are met, and that ongoing support is provided after the finalization of the project. For us, a finished project is just the beginning!

With the emphasis on speed that today’s markets require, you would be tempted to go for out-of-the-box systems to implement your ideas. However, this quickly turns into an unsustainable solution. With a dedicated software team, you can make sure that your own solutions are implemented naturally, that you can create an ecosystem between your hardware and software, as well as sustaining the tokenized decentralized economy. By using ready-at-hand solutions, your project encounters problems such as the impossibility to turn your requirements into a final technical product, delays and additional costs in integrating third-party systems, and an overall unreliability in case your system suffers a breakdown or needs updates. By using our technicians, we can establish a long-term reliable software development partnership and make sure that your crypto marketplace is always functioning, updated with new features and most importantly, Web3 future-proof.

Join us now!

That’s the surefire way to get onto the next generation of the internet before all the skeptics and to make sure that when Web3 becomes mainstream, your business, and your ways of making revenue are already well-established and well ahead! Join us now and let us begin our Web3 journey!

Crypto gaming project Calvaria raises $2.5M in presale, announces IEO on BKEX 2913

The presale for the exciting play-to-earn project Calvaria: Duels of Eternity has now passed $2.5 million, with the RIA token now set for its initial exchange offering (IEO) on BKEX.

The news means there are now fewer than 30 million RIA tokens available, with the presale more than 80% sold out.

Duels of Eternity is bidding to bring traditional and casual gamers to the blockchain by offering a full free-to-play (F2P) version of the game that is available on mobile app stores and PC.

BKEX to hold RIA IEO

With the Calvaria presale now close to finishing, it has been confirmed that leading centralized exchange BKEX will hold its IEO.

The date for the IEO has not yet been confirmed, but BKEX, which has almost $500 million of daily trading volume and more than 1.5 million weekly visitors, will exclusively trade RIA for 24 hours before it is then listed on other exchanges.

A listing on Changelly Pro has also been confirmed, as has GotBit, while in a recent AMA, the Calvaria developers revealed that they are in talks with other exchanges.

What is Calvaria?

Calvaria is a new play-to-earn project aiming to attract casual and traditional gamers onto the blockchain.

Previous GameFi projects have attracted huge investment, with crypto investors seeing the huge potential for the future, but the player base did not follow even at its peak and has fallen rapidly during the 2022 bear market.

Calvaria is now trying to address that by developing a simple and replayable game that will appeal to traditional and casual gamers and is easy to pick up.

Flagship game Duels of Eternity is a battle-card strategy game that sees players stack their decks with nonfungible token (NFT) cards and assets and beat opponents in best-of-three matches to earn RIA tokens.

The game, which is set in the afterlife, sees players align with one of three factions and use their knowledge, skill and timely use of assets to win one-on-one matches.

Duels of Eternity has a number of quirks that separates it from rivals and will make it attractive to non-blockchain gamers.

The game is rendered in full 3D and available on mobile stores on Android, iOS and PC. Duels of Eternity also has a story mode that not only builds on the lore of the Calvaria universe but allows players to earn assets that can be used in other game modes.

Cards and assets are NFTs that are fully owned and tradeable by the player, who can also spend RIA or combine cards to upgrade them.

To ensure the long-term success of Duels of Eternity, the Calvaria developers will take a seasonal approach to the game, consistently releasing new assets and game modes to keep players coming back.

They will also develop an in-house esports team and invite large esports brands to compete in tournaments for big prizes.

Calvaria will also benefit from being built on super-fast and efficient layer-2 solution Polygon.

Duels of Eternity F2P version

As well as the main P2E version of the game, Calvaria will develop a near-identical, free-to-play version of Duels of Eternity.

All features and gameplay will be the same, but there will be no rewards and players will not own their assets. However, the game will exist as a way to entice non-blockchain gamers onto the P2E version by showing the full capability of the game.

The F2P version will have a visible tracker that will show players how much they could have earned, while there will also be gamified quests to teach new players about blockchain technology.

Calvaria team and tokenomics

Calvaria has been developed by a doxed team that has been Know Your Customer-verified by CoinSniper, while the RIA token smart contract has been audited by SolidProof.

There is a max supply of 1 billion RIA tokens, with 15% of those allocated to the presale, with the majority of the supply split between the staking (25%) and prize pools (20%).

Another 15% is for reserve and burn pools, and the rest is split between operations (8%), team and advisers (7%), the INO (6%) and exchange liquidity (4%).

Recently, a crypto wallet purchased more than 3 million RIA tokens in one transaction, spending nearly $100,000.

How to buy RIA tokens

Below is a brief guide on how to buy RIA tokens during the final stage of the Calvaria presale, before the IEO on BKEX.

  1. Download a crypto wallet, such as Trust Wallet or MetaMask.
  2. Acquire Ether or Tether — either on an exchange and then transfer back to your crypto wallet or buy directly on the Calvaria website with a credit or debit card via Changelly.
  3. Connect your wallet to the Calvaria website and select a relevant option.
  4. Exchange ETH or USDT for RIA tokens.
  5. Claim RIA tokens once the presale has ended.

Website: https://calvaria.io/

Vacuum Coin announces its expansion into the BNB Smart Chain 3257

Vacuum Coin (VC) announced its plans to expand its ecosystem to the BNB Smart Chain by releasing the BEP-20 version of its token.

Vacuum Coin is a reserve currency for an upcoming metaverse project called, “Metaverse Union,” which aims to connect all metaverses through its metaverse. The BEP-20 version of VC will be used as the utility token for its crypto services, such as chat-to-earn, play-to-earn, second-generation Crazy Rich Rabbit nonfungible tokens (NFTs), Vacuum Bot and Tina Launchpad.

Currently, the Vacuum project hosts weekly chat-to-earn events in its social media community, where more than 13,000 people participate to earn VC tokens by chatting. It can be obtained through the play of Crazy Rich Rabbit, a Web3 play-to-earn game in which the players can earn VC tokens just by playing the game.

Its most recent reveal, Project Henri, is an NFT avatar generation project required to enter the Metaverse Union. You have a taste of creating any avatar you like using the photos you have.

Vacuum is running its fairlaunch until 2 pm UTC on Jan. 2, 2023. The token will be listed right after the fair launch is over. Currently, it has filled up its softcap.

For more information, visit Vacuum Coin’s website or visit directly to Vacuum’s Pinksale Fairlaunch site at:

https://www.pinksale.finance/launchpad/0xf6C77C39B6637A6e2740BeCA7289BDA88e6a22a1?chain=BSC

Multichain is one year old 3211

Multichain has been a multi-chain industry pioneer and has devoted itself to delivering industry-leading cross-chain services to users since its inception. Anyswap started as a DEX protocol in July 2020. As cross-chain interoperability technologies improved, we realized that Anyswap could deliver more to its community by addressing the growing demand for protocols specializing in cross-chain interaction.

To solidify our commitment to delivering the community’s needs, we officially rebranded to Multichain on this day last year. Since then, we have been the leading driver of the cross-chain economy. With over $90 billion on TVL across 3000+ bridges, we are proud to reach this milestone and incredibly thankful to you for supporting us along the way. So, for our first anniversary as Multichain, let’s look back at what we accomplished in the past year and what lies ahead for us and the multi-chain industry.

A look back at Multichain

Q1 – Our numbers proliferated

The Multichain ecosystem expanded rapidly in Q1. We did a 700% increase in TVL and incorporated about 600 new bridges spanning 39 public blockchains. In addition, we perfected our bridges to improve their conversion logic and transaction time and upgraded our router contracts to improve the developer experience.

We also introduced two new services, an upgradedNFT router – enabled the cross-chain transfer of NFTs via anyCall, and Co-mint – Which addressed liquidity fragmentation in Defi by allowing multiple bridges to mint the same asset, like stablecoins pegged to a common underlying.

Q2 – We pioneered generic cross-chain messaging

Even when the crypto community was hawkish with the bear market in full swing, it didn’t stop us from innovating and growing. For example, Multichain serviced $83.3 billion in cross-chain bridge requests, which accounted for about 40% of the total third-parge market share.

Q2 also marked the official launch of one of our most revered projects – anyCall, an infrastructure of generic cross-chain communication. anyCall enabled seamless cross-chain composability of smart contracts. Curve finance was one of the first protocols to adopt anyCall. In addition, Multichain also launched the fastMPC testnet in Q2, which opened the Multichain MPC network for open participation, further decentralizing the network.

Q3 – We transcended into a DAO

By Q3, Multichain had grown to support about 2891 bridges serving 739,000+ active users. Together, the Multichain community accounted for 49% of all cross-chain activity in Defi. We further perfected the anyCall protocol to V7, which introduced a fallback function to support innovative Dapps. Q3 also witnessed the mainnet launch of the fastMPC network for the public. Then, Multichain also transcended into the MultiDAO, an open community of contributors who could participate in governance and steer the direction of the community towards growth.

Q4 – We made many optimizations

Q4 was all about optimization and focusing on the fine details. We continued being one of the leading cross-chain solutions in demand in Web3. We realized the demands of our valued users and optimized our bridge fee policy. We also lowered the bridge fees charged for mainstream tokens and networks.

What sets us apart

Competitive pricing and a robust ecosystem

Multichain charges one of the lowest cross-chain fees among leading interoperability protocols. Furthermore, the Multichain network is one of the fastest cross-chain protocols in the market, without any compromise in security.

Extensive non-Evm network

Many cross-chain interoperability protocols connect EVM-EVM blockchains, but few (if any) expand across a wide range of non-EVM environments like Multichain, which connects Bitcoin, Near, OnXRP, Aptos, Mintme mainnets, and working on Cardano, Stellar, Flow, Solana testnets already.

Industry trends to look out for in ’23

This year was the age of layer-2s; projects like Arbitrum and Optimism saw a surge in demand and innovation, which stems from the fact that the growing crypto adoption has rendered layer-1s very expensive for standalone transactions. This trend is likely to follow next year as well, and we might see Ethereum being used more as a settlement layer for other blockchains, where high throughput execution is achievable.

Another trend that took off this year was the rising popularity of appchains and blockchain sovereignty. Appchains are blockchains built for one specific use case. Sovereign blockchains build on ecosystem protocols like Cosmos and Polkadot, which take up base layer overheads and help steer innovations toward execution and application.

Regardless of appchains or layer-2s taking the forefront next year, the undeniable fact is that both these paths lead to more demand for cross-chain sharing of information and resources. Therefore, the coming years will require cross-chain protocols to be more flexible with adopting new blockchain environments and decentralized applications.

What will we work on for ’23

Multichain is dedicated to addressing the needs of the cross-chain industry and understands the technological shifts it needs to adopt to deliver them. Therefore, we have some exciting innovations for the cross-chain community for the following year.

Let us share one such innovation. We call it Omni-Blockchain Interaction (OBI). OBI is a blockchain-agnostic cross-chain communication solution stack that appchain developers can use as a base infrastructure to seamlessly build customized cross-chain connection channels without the hassle of implementing trust and verification mechanisms from scratch.

The OBI stack includes 

  • Dapp layer – It will house the cross-chain NFT/token bridges and routers.
  • Data layer – It comprises anyCall, which can communicate arbitrary information across blockchains.
  • The underlying trust layer – A decentralized protocol for cross-chain public trust mechanism, which verifies and authenticates data based on MPC and ZK technologies, the base infrastructure that third-party developers can build upon.

Multichain realizes the potential of novel technologies like zk-proofs in delivering scalable and secure performance. We believe that the concept of zero knowledge also has applications in the cross-chain economy. In ’23, we will work on zk-proofs-based routers, more information will soon follow.

Lastly, one of our primary initiatives for the coming year will be to collaborate with partners and other Web3 communities to educate the users in the industry about the benefits and potential of cross-chain communication.

Thank you for the support

Like any other decentralized project in Web3, Multichain’s success is credited to the continuous love and support we have received during difficult and good times. We thank the Multichain community for having confidence in us since our inception; it inspires us to deliver more in the times to come.