Cybersecurity researchers have shared details of a malware campaign aimed at Ethereum, XRP and Solana.
The attack is mainly directed to the users of the Atomic and Exodus wallet through compromised node package administrator packages (NPM).
Then redirect the transactions to the directions controlled by the attackers without the knowledge of the owner of the wallet.
The attack begins when developers install troyanized NPM packages, without knowing it, in their projects. Researchers identified “PDF -to-Office” as a compromised package that seems legitimate but contains a hidden malicious code.
Once installed, the package scan the cryptocurrency wallet system installed and injects a malicious code that intercepts transactions.
‘Escalación in the orientation’
“This last campaign represents an escalation in the continuous orientation of cryptocurrency users through software supply chain attacks,” the researchers said in their report.
Malware can redirect transactions into multiple cryptocurrencies, including Ethereum (Eth), USDT based on Tron, XRP (XRP) and Solana (SUN).
Reversinglabs identified the campaign through its analysis of suspicious packages of NPM and detected multiple indicators of malicious behavior, including suspicious URL connections and code patterns that coincide with previously identified threats. Its technical exam reveals a several stages attack that uses advanced obfuscation techniques to evade detection.
The infection process begins when the malicious package executes its payload wallet software installed in the system. The code specifically seeks application files on certain routes.
Once located, the malware extracts the application file. This process is executed through the code that creates temporary directories, extracts the files from the application, injected the malicious code and then put everything to make it look normal.
Malware modifies the transaction management code to replace legitimate wallet addresses with those controlled by attackers using base coding64.
For example, when a user tries to send ETH, the code replaces the address of the recipient with the address of an attacker decoded from a base chain64.
The impact of this malware can be tragic because transactions seem normal in the wallet interface while funds are sent to attackers.
Users have no visual indications that their transactions have been committed until they verify the blockchain transaction and discover that the funds went to an unexpected direction.