Solana cryptocurrency owners are the recent targets of a new cyberattack campaign aiming to spread password-stealing malware to steal digital assets. The hackers in this new campaign send fake alerts via airdropping NFTs to the targets about a new Phantom wallet security update, luring them into installing malware on their devices.
The Solana crypto users receive fake alerts through NFTs, which, once opened, will inform the about a purported security update for the Phantom wallet. The users will then be instructed to click the attached link on the alert to install the said update.
The crypto owners are also warned that failing to install the update may lead to the loss of funds from hackers that exploit the Solana network. Regardless of the target’s device for downloading the fake Phantom security update, the attached link will automatically download a Windows batch file (Phantom_Update_2022-10-08[.]bat) via DropBox.
Upon launching the batch file, the process will verify if it is run through escalated admin privileges. A Windows UAC prompt will be displayed to ask for permission if not. Subsequently, a PowerShell script will run, decrypting the succeeding commands to be executed in the target’s device.
After some commands, a windll32.exe executable will be downloaded to the device’s local folder. This file is the password-stealing malware that the hackers use to steal the user’s browser data, including their cookies, history, passwords, SSH keys, and more.
Experts are still clueless whether which malware is used in the recent fake Phantom NFTs campaign.
The unknown malware for the recent fake Phantom NFTs campaign has been linked to an infamous MarsStealer info-stealing trojan, although security experts are still unsure about their association. MarsStealer can steal users’ data from all web browsers, 2FA plugins, and cryptocurrency wallets.
Nonetheless, even if the malware in this campaign has yet to be uncovered, crypto owners that have installed the fake update alert file must scan their devices with trusted antivirus programs, transfer their crypto assets to a safer location, and change all their passwords on all online platforms they have an account on.
