Cybercriminals have been observed airdropping malicious NFTs to Solana HODLers. The attackers are sending fake alerts for a Phantom security update that ends up in the installation of a password stealer.
Fake security update
The ongoing attack started around two weeks ago with fake Solana NFTs being sent to the potential victims.
- The NFTs named PHANTOMUPDATE[.]COM or UPDATEPHANTOM[.]COM claimed to be an alert from Phantom developers.
- If these Solana NFTs are opened, the wallet owners are notified that a new security update has been released. Further, they are urged to click on the link or visit the site for downloading and installing it.
- Upon visiting the fake sites, a Windows batch file is automatically downloaded. In initial campaigns, it downloaded Phantom_Update_2022-10-04[.]exe file from DropBox. In later campaigns, it was named Phantom_Update_2022-10-08[.]bat.
Post-infection
- If the batch file is executed, it checks if it is running with admin privileges. If not, Windows UAC prompts for permissions. If accepted, a PowerShell script launches further commands.
- Eventually, all the processes will end up with a windll32[.]exe executable being downloaded from GitHub and then executed from the C:\Users\<username>\AppData\Local folder.
- The windll32[.]exe file is a password stealer threat that tries to steal browser information, including cookies, passwords, history, and\ SSH keys.
What to do?
If any user has installed the fake security update, they are recommended to scan their computers with an antivirus program. Additionally, they should transfer all Solana crypto funds and assets from their Phantom wallet to a new one. Further, make sure that passwords on all sites are changed and apply 2FA if possible.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5370_shutterstock_1042201660.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/7664_shutterstock_397445059.jpg)
