The advent of blockchain technology gave rise to a new era of digital transformation. This has also opened a new attack surface for threat actors, who are perpetually targeting cryptocurrency to make huge profits. In 2021, NFT became the new crypto lingo among netizens. FortiGuard Labs stumbled upon an Excel spreadsheet. While on first look it seemed to contain information related to NFTs, on further observation, the researchers found that it installs BitRAT.

Diving into details

  • Researchers couldn't determine the original source of the file, named NFT_Items.xlsm.
  • Among the two workbooks of the file, one is written in Hebrew.
  • This workbook includes legitimate Discord rooms related to NFTs, as well as names of NFTs and predictions for investment returns.
  • The attack exploits Discord by hosting malicious files.
  • FortiGuard Labs confirmed that the attack probably targeted NFT enthusiasts in Israel.

About BitRAT

  • First spotted in August 2020, BitRAT leverages Hidden VNC (HVNC) that allows remote access to the infected machine.
  • The malware got its HVNC code from TinyNuke.
  • The HVNC communication will fail if the traffic header is not AVE_MARIA.
  • BitRAT can evade UAC and Windows Defender. It can, furthermore, monitor the screen and webcam.
  • Other capabilities include stealing credentials from apps and browsers, using Slowloris for DDoS functionality, Monero mining, keystroke logging, and uploading and downloading additional files.

Some other threats to crypto

  • CoinStomp, a new malware, was targeting cloud services for cryptomining.
  • Mars Stealer, a redesign of the Oski malware, was found pilfering information from cryptocurrency wallets and extensions and several famous web browsers.
  • January saw the new BHUNT cryptostealer exfiltrating wallet content from Bitcoin, Ethereum, Exodus, Electrum, and Atomic.

The bottom line

NFT is a novel internet phenomenon and almost everyone is jumping on the bandwagon, including bad actors. It should be noted that attackers use unique and attractive subjects as lures. Victims are enticed into opening and installing malicious payloads and hence, standard security practices should be implemented.

Cyware Publisher