In order to steal cryptocurrency wallets and install malware that steals passwords, hackers are airdropping NFTs to Solana cryptocurrency users under the guise of security updates for the Phantom.
This ongoing attack began two weeks ago, with NFTs named ‘PHANTOMUPDATE.COM’ or ‘UPDATEPHANTOM.COM’ sent purporting to be warnings from Phantom developers. While accessing the NFTs, owners of wallets are informed that a new security update has been issued and should visit the website or click the link included in the message to download and install it.
“Phantom requires all users to update their wallets. This must be done as soon as possible,” reads the warning in the fake Phantom update NFT. “Failing to do so, may result in loss of funds due to hackers exploiting the Solana network. Visit www.updatePhantom.com to get the latest security update.”
These websites automatically download a Windows batch file entitled Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox when accessed from any device (mobile or desktop). Phantom_Update_2022-10-04.exe executables from earlier campaigns were downloaded. The batch file will first check to see if it is running with Administrator rights before displaying a Windows UAC prompt and requesting permissions.
If the UAC prompt is allowed, a PowerShell script that decrypts further commands to run on Windows will be launched. This may ultimately result in downloading and executing the windll32.exe executable [VirusTotal] from the C:\Users\<username>\AppData\Local folder.
According to VirusTotal, the windll32.exe program is a password-stealing virus that tries to collect browser data, including history, cookies, and passwords, as well as SSH keys and other details. Although the precise password-stealing trojan that is now spreading is unknown, earlier campaigns disseminated a file with the name lib64.exe [VirusTotal], which was known to be MarsStealer.
MarsStealer, a data-stealing malware program introduced in 2020, steals information from several cryptocurrency extensions and wallets, two-factor authentication plugins, and all widely used web browsers. This campaign’s objective is probably to obtain cryptocurrency wallets and passwords, enabling the threat actors to take all cryptocurrency funds and compromise the victim’s other accounts.
The fake Phantom security update victims should run a computer antivirus scan immediately, then move their cryptocurrency cash and assets from their old Phantom wallet to a new one. After that, victims should update their passwords across all accounts, paying special attention to email accounts, bank accounts, online wallets, and other essential platforms. Victims should eventually change their password to a different one for each site they visit to stop credential breaches at one site from impacting other sites.