SNEAK PEEK
- To steal cryptocurrency wallets and install malware that steals passwords, hackers are airdropping NFTs to Solana cryptocurrency users.
- Owners of wallets are informed when opening the NFTs that a new security update has been issued and should visit the website or click the link.
- Although the precise password-stealing trojan that is now spreading is unknown, earlier campaigns disseminated a file with the name lib64.exe.
To steal cryptocurrency wallets and install malware that steals passwords, hackers are airdropping NFTs to Solana cryptocurrency users under the guise of security updates for the Phantom.
Two weeks ago, NFTs with the subject lines “PHANTOMUPDATE.COM” or “UPDATEPHANTOM.COM” were delivered, purporting to be alerted from the Phantom creators.
Owners of wallets are informed when opening the NFTs that a new security update has been issued and should visit the website or click the link enclosed in the message to download and install it.
“Phantom mandates wallet updates for all users. You must complete this as soon as you can “read the cautionary message in the phoney Phantom update NFT.
These websites automatically download a Windows batch file named Phantom Update 2022-10-08.bat [VirusTotal] from DropBox when accessed from any device (desktop or mobile). Additionally, phantom Update 2022-10-04.exe executables from earlier campaigns were downloaded.
The batch file will first check to see if it is running with Administrator rights before displaying a Windows UAC prompt and requesting permissions.
The windll32.exe program, according to VirusTotal, is a password-stealing malware that tries to collect browser data, including history, cookies, and passwords, as well as SSH keys and other details.
Although the precise password-stealing trojan that is now spreading is unknown, earlier campaigns disseminated a file with the name lib64.exe [VirusTotal], which was known to be MarsStealer.
MarsStealer, a data-stealing malware program introduced in 2020, takes information from several cryptocurrency extensions and wallets, two-factor authentication plugins, and all widely used web browsers.
This campaign’s objective is probably to obtain cryptocurrency wallets and passwords, which would enable the threat actors to take all cryptocurrency funds and compromise the victim’s other accounts.
The bogus Phantom security update victims should run a computer antivirus scan right away, then move their cryptocurrency cash and assets from their old Phantom wallet to a new one.
After that, victims should update their passwords across all of their accounts, paying special attention to email accounts, bank accounts, online wallets, and other important platforms.
