NFT enthusiast becomes the newest target of a new cybercrime campaign involving threat actors creating a fake Pixelmon NFT website that infects victims with cryptocurrency wallet-stealing malware. The Pixelmon NFT is a project that aims to establish a metaverse game for its users to collect, train, and battle with other players using their in-game pets.
As the NFT platform became popular among its users, threat actors have leveraged the opportunity by imitating its official website to spread malicious malware and steal from the players. The replicated website offers the visitors executables that inject the malware on their devices.
From the researchers’ analysis, the malicious website instructs the user to install a zip file named setup[.]zip which spreads the malware to the compromised device once it has been run. The setup[.]zip file contains a setup[.]lnk file, which is a Windows shortcut, that can launch a PowerShell command that will download a system32[.]hta file from pixelmon[.]pw.
The system32[.]hta file begins downloading the password-stealing malware that will infect the victims, dubbed Vidar malware. From the malware’s previous analysis, the researchers noted that upon execution in the compromised device, the malware’s operators would connect to their Telegram channel to retrieve the IP address of Vidar’s C2 server.
From the C2, Vidar will reclaim a configuration command and then download more useful modules to steal data from the victims’ compromised devices. Once deployed, the malware can steal passwords from the victims’ browsers and applications and rummage for files that match specific names. After collecting all desired data, the operators upload them to their servers.
The Vidar malware can steal several data such as text files, passwords, codes, etc. For the Pixelmon NFT users, the threat operators aim to collect their cryptocurrency wallets and all files associated with NFTs.
It has been observed that the malicious Pixelmon NFT website does not distribute malware anymore. However, researchers have recorded evidence that the site has been modified by its operators in the past few days, including removing some payloads that were originally there recently.
For this reason, security experts still expect that the campaign will remain on distributing attacks against victims.
The popularity of NFTs had been an avenue for hackers to spread malware and steal from victims. Experts remind users to verify a website’s URL upon visiting and be cautious about any file instructed to download.
