To take cryptocurrency wallets, in addition to installing malware that is able to steal passwords criminals have been dropping NFTs to Solana cryptocurrency users under the pretense of security patches for Phantom.
A couple of weeks back, NFTs that had the subject line “PHANTOMUPDATE.COM” as well as “UPDATEPHANTOM.COM” were sent in the hope of receiving an alert from Phantom’s Phantom creators.
The owners of wallets are advised when they open the wallets that a security update has been released and that they must visit their website or click on the link in the message to download and install it.
“Phantom demands an update of the wallet on all accounts. This must be completed within the shortest time possible “read the warning message” in the fake Phantom Update NFT.
The websites automatically download the Windows batch file called Phantom Update 2022-10-08.bat [VirusTotal] from DropBox when it is accessed on the device of your choice (desktop and mobile). Also, Phantom Update 2022-10-04.exe executables from previous programs were downloaded.
The batch file will examine whether it’s running with Administrator rights before showing a Windows UAC prompt and requesting permissions.
Windll32.exe is windll32.exe program, as per VirusTotal is a Trojan that steals passwords that attempts to collect the data of your browser, which includes cookies, history, and passwords, as well as SSH keys as well as other data.
While the precise nature of the trojan that is currently spreading is unclear, earlier campaigns distributed a file under an alias lib64.exe [VirusTotalthat was later identified as MarsStealer.