Solana Phantom security update NFTs push password-stealing malware

Hackers are airdropping NFTs to Solana cryptocurrency owners pretending to be alerts for a new Phantom security update that lead to the installation of password-stealing malware and the theft of cryptocurrency wallets.

This ongoing attack started two weeks ago, with NFTs titled ‘PHANTOMUPDATE.COM’ or ‘UPDATEPHANTOM.COM’ sent that claim to be warnings from the developers of Phantom.

When opening the NFTs, wallet owners are told that a new security update has been released and that they should click the enclosed link or visit the site to download and install it.

“Phantom requires all users to update their wallets. This must be done as soon as possible,” reads the warning in the fake Phantom update NFT.

“Failing to do so, may result in loss of funds due to hackers exploiting the Solana network. Visit www.updatePhantom.com to get the latest security update.”

When visiting these sites from any device (desktop or mobile), the site automatically downloads a Windows batch file named Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox. Previous campaigns were downloading executables named Phantom_Update_2022-10-04.exe.

When the batch file is launched, it will check if it is running with Administrator privileges and, if not, show a Windows UAC prompt asking for permissions.

If the UAC prompt is accepted, a PowerShell script will be launched that decrypts further commands to execute in Windows.

Ultimately, this will lead to a windll32.exe executable [VirusTotal] being downloaded from GitHub and executed from the C:Users<username>AppDataLocal folder.

According to VirusTotal, the windll32.exe file is a password-stealing malware that attempts to steal browser information, such as history, cookies, and passwords, as well as SSH keys and other information. 

While it is unclear what specific password-stealing trojan is currently being spread, previous campaigns distributed a file name lib64.exe [VirusTotal], which was identified as MarsStealer.

MarsStealer is an information-stealing malware launched in 2020 and steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.

The goal of this campaign is likely to steal cryptocurrency wallets and passwords that would allow the threat actors to steal all crypto funds and compromise other accounts belonging to the victim.

Victims who installed the fake Phantom security update should immediately scan their computer with an antivirus program and then transfer crypto funds and assets from their existing Phantom wallet to a new one.

Next, victims should change their passwords on all sites they use, focusing on cryptocurrency trading platforms, online wallets, bank accounts, email, or other sensitive platforms.

Ultimately, victims should change their password to a unique one for every site they visit to prevent credential leaks at one site from affecting other sites.