"Update on Solana Phantom's Security NFTs Spread Malware That Steals Passwords"
Hackers are airdropping Non-Fungible Tokens (NFTs) to Solana cryptocurrency users under the guise of security updates for the Phantom in order to steal cryptocurrency wallets and install malware that steals passwords. This attack recently began, with NFTs with the names 'PHANTOMUPDATE.COM' and 'UPDATEPHANTOM.COM' sent as warnings from Phantom developers. Wallet owners are informed that a new security update has been issued while accessing the NFTs and are encouraged to visit the website or click the link included in the message to download and install it. When accessed, these websites download a Windows batch file called "Phantom_Update_2022-10-08.bat" from DropBox. Before displaying a Windows User Account Control (UAC) prompt and requesting permissions, the batch file will first check to see if it is running with administrator privileges. If the UAC prompt is allowed, a PowerShell script that decrypts additional commands for Windows execution will be launched. The downloaded windll32.exe program is a password-stealing virus that attempts to collect browser data such as history, cookies, and passwords, as well as SSH keys and other details, according to VirusTotal. Although the exact password-stealing Trojan that is currently spreading is unknown, previous campaigns distributed a file called "lib64.exe," which was known to be MarsStealer. MarsStealer, a data-stealing malware program first discovered in 2020, steals information from various cryptocurrency extensions and wallets, two-factor authentication (2FA) plugins, and popular web browsers. The goal of this campaign is most likely to obtain cryptocurrency wallets and passwords, allowing threat actors to steal cryptocurrency funds and compromise the victim's other accounts. This article continues to discuss hackers airdropping NFTs to Solana cryptocurrency owners pretending to be alerts for a new Phantom security update, which leads to the installation of password-stealing malware and the theft of cryptocurrency wallets.