Solana Phantom Security Update NFTs Push Password-Stealing Malware

Hackers are dropping NFTs to Solana cryptocurrency owners claiming to be alerts for a new Phantom security update that leads to the installation of password-stealing malware and the theft of cryptocurrency wallets.

This ongoing attack began two weeks ago, with NFTs titled “PHANTOMUPDATE.COM” or “UPDATEPHANTOM.COM” being sent that purport to be warnings from Phantom developers.

When opening NFTs, wallet owners are informed that a new security update has been released and they should click on the attached link or visit the site to download and install it.

“Phantom requires all users to update their wallets. This should be done as soon as possible,” reads the warning in the fake Phantom NFT update.

“Failure to do so may result in loss of funds due to hackers operating the Solana network. Visit www.updatePhantom.com for the latest security update.”

When you visit these sites from any device (desktop or mobile), the site automatically downloads a Windows batch file named Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox. Previous campaigns downloaded executables named Phantom_Update_2022-10-04.exe.

When the batch file is launched, it checks to see if it is running with administrator privileges, and if not, displays a Windows UAC prompt asking for permissions.

If the UAC prompt is accepted, a PowerShell script will be launched which will decrypt other commands to run in Windows.

Ultimately this will lead to an executable windll32.exe [VirusTotal] downloaded from GitHub and run from C:Users folderAppDataLocal.

According to VirusTotal, the windll32.exe file is password-stealing malware that attempts to steal browser information, such as history, cookies, and passwords, as well as SSH keys and passwords. other information.

Although it is unclear which specific password-stealing Trojan is currently being distributed, previous campaigns have distributed a file name lib64.exe [VirusTotal]which has been identified as MarsStealer.

MarsStealer is an information stealing malware released in 2020 and steals data from all popular web browsers, two-factor authentication plugins, and several cryptocurrency extensions and wallets.

The objective of this campaign is likely to steal cryptocurrency wallets and passwords which would allow threat actors to steal all crypto funds and compromise other accounts belonging to the victim.

Victims who have installed the fake Phantom security update should immediately scan their computer with an antivirus program and then transfer funds and crypto assets from their existing Phantom wallet to a new one.

Next, victims have to change their passwords on all the sites they use, focusing on cryptocurrency trading platforms, online wallets, bank accounts, email or other platforms sensitive.

Ultimately, victims need to change their password to a unique password for each site they visit to prevent leaking credentials on one site from affecting other sites.