Lazarus hits cryptocurrency exchange with fake installer and macOS malware 10237

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Marine Moguls by MetFi $5.9 Million ERC-404 Airdrop Making Early Waves 5297

This groundbreaking initiative, leveraging the innovative ERC-404 protocol, is not only redefining the landscape of token and NFT distribution but also setting new records for engagement and community growth.

A Tsunami of Participation and Engagement

Since its launch, the Marine Moguls airdrop has seen a surge in activity, with thousands of enthusiasts joining the campaign, eager to be part of this unique opportunity. The promise of sharing 30% of $MOGULS among all airdrop participants has fueled an unprecedented level of interest, demonstrating the crypto community’s robust appetite for innovative and rewarding projects.

MetFi’s social media channels have been at the forefront of this tidal wave of enthusiasm, witnessing an extraordinary increase in user engagement — up to 17,000% in some cases. The growth in new followers and subscribers has been equally impressive, with some channels experiencing over a 100% increase in a few short weeks. This spike in engagement is a testament to the community’s excitement and support for the Marine Moguls project.

There’s Still Time to Dive In

With the airdrop running until May 21, 2024, there’s still ample opportunity for interested participants to join the campaign and secure their free $MOGUL tokens and NFTs. This initiative not only offers an accessible entry into the world of NFTs and tokens but also exemplifies the potential of blockchain technology to create engaging and inclusive community experiences.

Distribution and Innovation: The Heart of Marine Moguls

At the core of the Marine Moguls campaign is the innovative ERC-404 protocol, a pioneering technology that merges the best features of fungible ERC-20 and non-fungible tokens ERC-721 into a single ERC-404 smart contract thereby creating a seamless experience. This protocol ensures that NFT owners enjoy instant NFT liquidity and fractional ownership of NFTs, encapsulating the best of both worlds.

As previously announced, 3,000 Marine Mogul tokens and NFTs, representing 30% of the total supply, are being distributed through this airdrop. Participants generate points on the Marine Moguls Airdrop page, which will convert into $MOGUL tokens and NFTs at the Token Generation Event (TGE) scheduled for May 25, 2024. The campaign highlights the distribution of 2,500 NFTs with hidden prizes valued at ~$2.9 Million USDT and the allocation of 3,900 $MOGUL tokens to users who engage in staking, with the potential for high APY based on participation.

ERC-404: The Future of Token and NFT Interaction

The ERC-404 protocol’s dual nature facilitates a dynamic and fluid user experience, allowing for immediate liquidity of NFTs and fractional ownership of the Marine Moguls NFT collection. This innovative approach addresses common challenges in NFT trading, offering a more efficient and user-friendly model.

Looking Forward

As the Marine Moguls by MetFi campaign continues to make waves, it remains a beacon of innovation and community in the digital asset space. The enthusiasm and engagement from the community underscore the potential of inclusive, technologically advanced projects to shape the future of finance and digital collectibles.

To be part of this exciting journey, participants are encouraged to explore the Marine Moguls Airdrop campaign and join before the closing date on May 21, 2024. For more information, visit the Marine Moguls website and follow their social media channels for the latest updates.

About Marine Moguls by MetFi

Marine Moguls by MetFi represents a pioneering venture in the digital asset space, owned and powered by the visionary MetFi DAO. This innovative project is setting a new standard for the integration of technology and community in the blockchain arena. At its heart, Marine Moguls is not just a campaign but a revolution in how tokens and NFTs can coexist and complement each other through the cutting-edge ERC-404 protocol.

Designed to bridge the gap between the fungibility of tokens and the uniqueness of NFTs, Marine Moguls offers participants a unique opportunity to engage with the blockchain in a way that is both rewarding and revolutionary. The project’s commitment to instant NFT liquidity and fractional NFT ownership reflects a forward-thinking approach to digital assets, making it accessible and appealing to a broad audience.

By participating in the Marine Moguls by MetFi airdrop campaign, community members are not only part of an airdrop; they are at the forefront of an evolving ecosystem that challenges conventional notions of value and ownership in the digital age. Marine Moguls is a testament to MetFi’s innovative spirit and dedication to creating a more inclusive, dynamic, and valuable digital future for all.

Social Media Links

Website: https://marinemoguls.com
Telegram Chat: https://t.me/MetFiChat
Telegram News: https://t.me/MetfiNews
Discord: https://discord.gg/MetFiDAO
YouTube: https://www.youtube.com/@MetFiDAO
TikTok: https://www.tiktok.com/@Metfidao.Official
Certik: https://skynet.certik.com/projects/metfi
Medium: https://medium.com/@MetFi_DAO
LinkedIn: https://www.linkedin.com/company/MetfiOfficial
GitHub: https://github.com/metfi
CoinMarketCap: https://coinmarketcap.com/currencies/metfi2
CoinGecko: https://www.coingecko.com/en/coins/metfi
Instagram: https://instagram.com/metfidao

ICB Network Enters New Era of Blockchain Technology With Advanced Layer 1 Project 6255

During this crucial period for the crypto industry, ICB Crypto Services is ready to announce the early launch of the Ideal Cooperation Blockchain (ICB) Network. Designed by the sophisticated ICB Labs, the ICB Network introduces a promising Layer 1 blockchain project that was created to update the standards of scalability, security, and efficiency in the blockchain space. The ICB Network effects a sufficient advancement in blockchain innovation, with an official ICO-level launch scheduled for Q1 2024.

Transformative Innovations

The adoption of the Proof of Stake (PoS) consensus mechanism is at the core of the ICB Network’s innovation. It is a strategic move away from traditional Proof of Work (PoW) systems. This transition enhances transaction throughput and network scalability, and significantly reduces the environmental footprint of blockchain operations. Furthermore, the ICB Network is aimed at ensuring advanced security and efficiency, collaborating with leading auditing companies like CertiK, and implementing comprehensive Know Your Customer (KYC) processes.

Bright Future Ahead

“The ICB Network is set to revolutionize blockchain innovation with its PoS consensus, scalability, and commitment to security. Our platform provides developers and users with a robust infrastructure for building and using decentralized applications across various industries,” stated CEO of ICB Crypto Services.

This vision encapsulates the essence of the ICB Network’s mission to motivate developers and users, creating a more inclusive and efficient blockchain ecosystem.

Expansive Roadmap and Collaborative Endeavors

Looking forward, the ICB Network has outlined an extended roadmap that includes the introduction of trading activities, play-to-earn games, metaverse functionalities, a native wallet, and an NFT Marketplace. These components, in combination with strategic partnerships with developer communities, underscore the network’s commitment to boosting innovation and collaboration. Moreover, the plans are underway for the listing of the ICB Network’s native coin, ICBX, on centralized and Tier 1 exchanges, further solidifying its presence in the blockchain industry.

About ICB

Established in October 2020, ICB Labs represents the innovative arm of ICB Crypto Services, dedicated to addressing the challenges faced in the blockchain and cryptocurrency sectors. Through the use of cutting-edge technologies and adherence to the Ethereum Virtual Machine (EVM) standard, ICB Labs has developed the ICB Network to facilitate efficient, secure, and scalable blockchain solutions. The launch of the ICB Network signifies a major milestone for ICB Crypto Services, marking its entry into the blockchain industry with a vision to drive positive changes and promote a new era of digital excellence.

For more information about the ICB Network and its innovative solutions, visit the official website at https://www.icb.network/ or follow the latest updates through the network’s official channels:

X/Twitter: https://twitter.com/icbx_network
Telegram: https://t.me/icbnetwork_official
YouTube: https://youtube.com/@icbcryptoservices?feature=shared
Discord: https://discord.com/invite/rGRUgrbC4D
Medium: https://readicbnetwork.medium.com/

R Games Worlds First AI and Gaming token is set to Launch on Top Exchanges 6586

R Games, the Most Hyped AI and GameFi Project of 2024, an innovative gaming platform set to launch on Binance Smart Chain (BSC) & Solana Network, is on the cusp of a groundbreaking milestone as it gears up for the listing of its native token, $RGAME. This pivotal event represents a significant leap forward for the platform, set to redefine the gaming landscape within the Web3 ecosystem.

Distinguishing itself with cutting-edge features and a commitment to user empowerment, R Games offers a dynamic gaming experience infused with advanced AI technology and intricate automotive design elements. The platform’s fully customized approach, powered by Unreal & Unity engines, ensures an immersive and interactive gameplay environment.

Key features of R Games include interoperable NFTs, user-generated content capabilities, and AI-integrated designs that deliver precision engineering and unmatched visual appeal. This unique combination sets R Games apart as a frontrunner in the Web3 AI and Gaming sector, catering to seasoned gamers and newcomers alike.

As R Games prepares for its Token Generation Event (TGE) on April 8th, 2024, excitement is mounting within the gaming community. The platform has already garnered significant traction, with partnerships in progress with prominent automotive brands and a growing user base comprising over 50,000 gamers from Fabwelt Studios and 300,000 gamers onboarding from WEMIX Play. Additionally, collaborations with over 200 KOLs (Key Opinion Leaders) worldwide and influencers with a combined success of over $1B further solidify R Games’ position as a game-changer in the gaming industry.

The upcoming Initial DEX Offering (IDO) platforms like DAOMaker, Poolz Finance, Finceptor, Paragen and Cex and Dex listing platforms like Gate, MEXC, Pancakeswap, Raydium and BingX mark a crucial step in R Games’ journey towards widespread adoption and market penetration.

The $RGAME token’s Fully Diluted Valuation will be marked at $7.5M, with an initial market capital of $296,250

Supported by advisors and backers such as Ferrum Network, Lavender Capital, BMW Capital, Qu Ventures, IBC Group, Oddiyana Ventures, Mario Nawfal, Sky Wee, Yuen Wong, Robby Joe, and Rajan Raj among others, R Games is well-equipped to navigate the dynamic Web3 landscape and unlock its full potential.

Produced by Dubai-based Gyros Studios formerly known as Fabwelt Studios, R Games leverages state-of-the-art gaming development tools and AI-driven game design to deliver a seamless and captivating gaming experience. With a keen focus on user engagement and community building, R Games is poised to become a frontrunner in the ever-evolving Web3 gaming ecosystem.

As the countdown to TGE and IDO commences, R Games invites gamers, investors, and enthusiasts alike to join its journey towards revolutionizing the gaming industry and unlocking new possibilities in the Web3 world.

Who are the Founders of R Games?

R Games team comes from a successful studio venture Gyros Studios LLC Formerly Known as Fabwelt Studios LLC built numerous successful Blockchain Games

Loet de Hooge, Abhishek Pegada, and Rubina Naaz are the visionary founders of R Games, bringing together their diverse expertise and passion for gaming and blockchain technology. Loet de Hooge is known for his technical prowess and innovation, Abhishek Pegada contributes his strategic leadership and business acumen, while Rubina Naaz brings a creative and user-centric approach to the team.

Loet de Hooge has a background in Technical development and entrepreneurship, having successfully led previous ventures to success. Abhishek Pegada is a seasoned developer with a deep understanding of blockchain technology and its applications in gaming. Rubina Naaz is an experienced game designer and business head with a knack for creating engaging and immersive user experiences.

Highlights of R Games

The Alpha Version of R Games was officially launched on April 4th, 2024, at 14:00 UTC, having undergone extensive testing within their close-knit community. This testing phase has garnered overwhelmingly positive feedback, particularly regarding the game’s graphics, which are likened to Web3’s Asphalt. The seamless integration of high-end quality graphics has generated significant anticipation within the R Games Community leading up to the Alpha Launch.

Looking towards the future, R Games has ambitious plans in store. Development efforts are focused on implementing upgrades such as an advanced Upgrade System, Virtual Garage, and AI integration. These additions will provide users with various earning opportunities through models like Develop-to-Earn, Watch-to-Earn, and Play-to-Earn.

Within the game, players can fine-tune and electronically upgrade all vehicle models within the workshop, offering a customizable experience. The integration of AI technology allows users to effortlessly design their car characters, even without technical expertise. The roadmap also includes diverse modes like Formula One, Street Racing, Story Mode, and Off-Road Racing to cater to a broad audience.

For the Alpha version, the spotlight is on Circuit Racing, featuring professional racing tracks that promise an immersive experience. This comprehensive approach is designed to appeal to racers, automotive engineers, and car enthusiasts alike.

Co-founder Abhishek Pegada’s background as an Automotive Engineer has played a pivotal role in shaping R Games’ unique vision. His insight into the field’s dynamics has fueled the belief that many automotive engineers would relish the opportunity to work on passion projects during their leisure time. This vision has been realized through R Games’ innovative AI technology.

The collaborative efforts of the R Games team with a group of automotive engineers and R&D experts have resulted in the creation of original and innovative designs that enhance the R Games Ecosystem.

About R Games

R Games is a leading gaming platform built on Solana and Binance Smart Chain, offering a diverse range of gaming experiences powered by advanced AI and cutting-edge technology. With a focus on user engagement, innovative gameplay mechanics, and strategic partnerships, R Games is set to redefine the gaming landscape in the Web3 era.

SafeMars Expands To Solana 6692

In a bold move towards further decentralization and expansion, SafeMars, the pioneering decentralized finance (DeFi) project, has extended its reach beyond Binance Smart Chain (BSC) to Solana, igniting fresh excitement within the crypto community. With a record-breaking ATH of $1 billion achieved on BSC in 2021, SafeMars has stealthily launched on Solana on March 30, 2024, under the guidance of its original developers who are now determined to replicate their prior success on this new chain.

SafeMars emerged on the DeFi scene in 2021, swiftly capturing the attention of investors and enthusiasts alike with its innovative approach towards community-driven initiatives and tokenomics. Its meteoric rise to a staggering $1 billion market cap on BSC showcased not only its potential but also the trust it garnered from its ever-growing community.

The recent stealth launch on Solana signifies a strategic move by SafeMars to explore new horizons and tap into the vast opportunities offered by alternative blockchain networks. With the same visionary developers at the helm, SafeMars aims to replicate and surpass its previous achievements, setting its sights on establishing a strong presence on the Solana chain.

One of the key driving forces behind SafeMars’s success lies in its robust social media presence and engagement. Boasting a massive Twitter following of 135,000 loyal supporters, SafeMars has fostered a vibrant online community that actively participates in discussions, stays updated on project developments, and spreads awareness about the project’s mission and goals. This dedicated community has played a pivotal role in driving adoption and fueling SafeMars’s growth trajectory.

SafeMars’s expansion to Solana represents not only a significant milestone for the project but also a testament to its resilience and adaptability in the ever-evolving landscape of decentralized finance. By leveraging the high-performance capabilities of the Solana blockchain, SafeMars aims to enhance scalability, reduce transaction costs, and provide users with a seamless and efficient DeFi experience.

As the crypto market continues to evolve and mature, projects like SafeMars are at the forefront, pushing the boundaries of innovation and driving widespread adoption of decentralized technologies. With its successful track record, passionate community, and ambitious vision, SafeMars is poised to carve out a prominent niche in the burgeoning Solana ecosystem, ushering in a new era of decentralized finance.

In conclusion, SafeMars’s expansion to Solana marks an exciting new chapter in its journey towards redefining the future of decentralized finance. With its proven track record, experienced team, and unwavering community support, SafeMars is well-positioned to make a significant impact on the Solana blockchain and continue its mission of democratizing access to financial services for users worldwide.

Twitter: https://twitter.com/Safemartians
Telegram: https://t.me/safemarssolentry
Website: https://safemarscrypto.com/

Introducing BounceBit Testnet Phase 2: App Store 6710

Following the success of BounceBit Testnet: BounceClub East-to-West Event launched on March 8, 2024, BounceBit announces the rollout of BounceBit Testnet Phase 2: App Store.

While the previously launched Testnet BounceClub Event will operate as usual without any changes, BounceBit Testnet Phase 2 highlights BounceBit App Store’s features and encourages developers to deploy on the BounceBit Testnet by submitting their decentralized applications (DApps) to the BounceBit App Store through GitHub pull request.

BounceBit Testnet Phase 2 mirrors the mainnet environment, offering developers, validators, full node operators, delegators, and users an early preview of the BounceBit Mainnet. This phase welcomes everyone to interact with the BounceBit PoS staking chain and the BounceClub ecosystem.

Here’s what you can expect from BounceBit Testnet Phase 2:

Deploy on BounceBit testnet

BounceBit Testnet Phase 2 offers developers the chance to get an early experience of deploying on the BounceBit chain by submitting their DApps to be listed on the BounceBit App Store. The BounceBit App Store features both in-house DApps and those built by community developers or external projects. To have your DApp listed on the BounceBit App Store, submit a pull request on BounceBit’s GitHub repository. The BounceBit team will then review and, if approved, list your DApp on the BounceBit App Store. DApps that are listed during Testnet Phase 2 will receive priority consideration for being listed on the BounceBit Mainnet App Store based on their performance.

For more details on the onboarding process, please refer to BounceBit’s official guide.

Stress-testing DApps

BounceClub owners and users are invited to participate in testing all DApps that are listed on the BounceBit Testnet App Store. BounceClub owners can select and add DApps to their BounceClubs, while BounceClub users can interact with the DApps when exploring different BounceClubs.

The BounceClub community plays a crucial role in evaluating the listed DApps’ performance and security, identifying vulnerabilities that need to be addressed. This Testnet Phase 2 contributes to the resilience and reliability of the BounceBit ecosystem, striving to maintain a smooth and secure environment for all BounceBit users.

Onboarding more validators

The BounceBit Testnet has kicked off with its first set of node operators during the BounceClub East-to-West Event. Currently, there are 24 active validators participating, with a combined staking amount totaling over 1000 $BBTC and over 283 million $BB.

For Testnet Phase 2, BounceBit aims to broaden the network by inviting more validators to participate. New validators will be guided through the onboarding process for Phase 2 via Discord.

Testing BounceBit’s tokenomics

BounceBit Testnet Phase 2 will continue the rigorous testing of BounceBit’s tokenomics, including token generation events (TGE), inflation rates, vesting schedules, gas fees, block sizes, and the validator slashing mechanism. Additionally, the BounceBit native LSD module’s performance will be observed continually.

About BounceBit

BounceBit is building a BTC restaking infrastructure that provides a foundational layer for different restaking products, secured by the regulated custody of Mainnet Digital and Ceffu. The BounceBit chain, designed as a showcase of a restaking product within the BounceBit ecosystem, is a PoS Layer 1 secured by validators staking both BTC and BounceBit’s native token – A dual-token system leveraging native Bitcoin’s security with full EVM compatibility. Critical ecosystem infrastructure like bridges and oracles are secured by restaked BTC. Through an innovative CeDeFi framework, BounceBit empowers BTC holders to earn yield across multiple networks.

MVC unveils testnet version of game-changing Bitcoin sidechain asset bridge 7317

The Bitcoin ecosystem has recently been in the spotlight, with the emergence of innovative solutions such as the BRC20 concept and the continuous evolution of applications that captivate the market’s interest. This resurgence evokes memories of the DeFi summer of 2020 on the Ethereum network, where decentralized applications thrived alongside a surge in token prices, setting the stage for high expectations for the Bitcoin ecosystem. In a significant development, the much-anticipated Bitcoin ecosystem application, MicrovisionChain (MVC, Ticker $SPACE), has announced the testnet version of its cross-chain asset bridge feature, marking a game-changing milestone for the Bitcoin sidechain.

Developed through a collaboration between the MVC technical team and the Octopus Space team, the Orders Bridge is now a part of the MVC ecosystem. Currently, the Bridge facilitates cross-chain transactions exclusively from the Bitcoin network to the MVC network. MVC stands as one of the top three global Bitcoin sidechain solutions in terms of hash power and boasts impressive technical features, including smart contracts on UTXO public chains, low fees with high concurrency, and high throughput. Previous reports suggest that MVC can support nearly unlimited transactions per second (TPS).

By bridging assets to the MVC network, users can leverage the numerous advantages offered by the network’s features, effectively overcoming many limitations associated with transactions on the native Bitcoin network. The MVC solution offers significant cost savings, as cross-chain transaction fees to MVC are reported to be one five-hundred-thousandth of the peak rates on the Bitcoin network. Moreover, due to MVC’s network characteristics, transactions feature zero-block confirmations, eliminating network congestion and block confirmation delays as obstacles to trading. Unlike other Bitcoin cross-chain solutions, assets bridged to MVC remain based on the UTXO layer1’s Tokens, significantly reducing the risk of “fake Tokens.”

Beyond its groundbreaking asset bridge, Orders.Exchange also encompasses an order book DEX, Swap, and liquidity pools within its ecosystem. The platform gained widespread attention for being the first in the network to support a complete range of trading order types. It enables the trading of any Bitcoin asset, including Ordinals NFTs and BRC20 tokens, through the creation of ASK and BID orders. This approach ensures that the immediate trading needs of both buyers and sellers can be met. Notably, Orders.Exchange is the only platform in the Bitcoin ecosystem that supports the construction of BID orders, distinguishing it as a unique service provider in the space.

In its Swap and liquidity pool solutions, Orders.Exchange demonstrates strong technical capabilities and a commitment to decentralization and asset security. According to information disclosed by the team, its Swap and liquidity pool frameworks are built on a decentralized architecture. This framework splits users’ orders into several parts, each handled by different modules within the framework. Some modules solely process user operation data without touching the transaction data, while others are dedicated to allocating funds based on the orders without interpreting the transactions themselves. The modules operate independently without sharing data, significantly reducing the potential for losses due to hacking attacks. Impressively, this complex logic is executed within a single block, meaning Swap transactions only require confirmation in one block.

The liquidity pool is particularly critical, as it holds a significant amount of user assets, and inadequate security could expose users to financial risks. Orders.Exchange employs cold and hot wallet segregation along with a threshold multisignature approach for fund management. In the hot wallet (online environment), Orders.Exchange stores only a minimal amount of assets necessary for basic services. Assets exceeding this threshold are transferred to the cold wallet (offline environment), which replenishes the hot wallet only when its assets fall below the threshold.

To isolate cold and hot wallets, Orders.Exchange uses a threshold multisignature method to eliminate all potential internal misconduct. For the hot wallet, a 2/3 threshold multisignature is used, meaning three parties hold the multisig private keys, and any transaction requires signatures from at least two of them to proceed. The cold wallet employs a 3/5 threshold multisignature, underscoring a heightened emphasis on asset security. The institutions involved in the multisignature management are well-known security audit firms, each with a reputation to maintain. Known participants include sCrypt, a reputable Bitcoin network audit firm, and Scalebit, which has officially announced its audit work. Notably, Orders.Exchange plans to co-host a public seminar on asset security with the renowned audit firm Certik in early April.

With the multitude of positive developments surrounding Bitcoin and the approaching halving event, there is every reason to believe that the potential of the Bitcoin ecosystem is fully comparable to that of the Ethereum ecosystem at its inception. At this juncture, closely monitoring the movements within the Bitcoin ecosystem becomes particularly crucial. Orders.Exchange stands out as the most technically accomplished platform with already implemented functionalities, and we believe it possesses significant potential, heralding a new era for Bitcoin sidechain solutions.

Twitter: https://x.com/mvcglobal

TG: https://t.me/mvcofficial