Crypto Holders Beware! New Malware Drains ETH, SOL, XRP Wallets

Malware operations targeting holders of Ethereum, XRP, and Solana cryptocurrencies have been exposed by cybersecurity researchers. The threat attacks Atomic and Exodus wallet owners by using compromised software packages installed by developers unaware of the malware contained in the code.

The malware, upon execution, is able to send cryptocurrency to thief-held addresses with no indication on the wallet owner.

How The Attack Works

Researchers say the attack starts when developers unwittingly include hacked node package manager (NPM) packages in their projects. One such package named “pdf-to-office” appears genuine on the surface but conceals malicious code within.

The package searches computers for installed crypto wallets and then injects code that intercepts transactions. This enables criminals to steal money without the user’s awareness or permission.

Multiple Cryptocurrencies At Risk

Security researchers have concluded that the malware can divert transactions on multiple of the world’s leading cryptocurrencies. They include Ethereum, USDT, XRP and Solana. The attack is what researchers identify as “an escalation in the ongoing targeting of cryptocurrency users through software supply chain attacks.”

Technical Details Reveal Sophisticated Methods

ReversingLabs discovered the campaign by scanning for suspicious NPM packages. Their analysis revealed several warning signs such as suspicious URL associations and code structures matching well-known threats.

The attack employs sophisticated techniques for evasion from security tools and is multi-stage in nature. The infection begins when the malware package executes its code aimed at wallet software on the target’s machine. It specifically looks for application files in some of the predetermined paths before injecting its malicious code.

No Visual User Warning Signs

According to reports, this malware’s effect can be catastrophic since transactions appear absolutely normal on the wallet interface. The code substitutes valid recipient addresses with attacker-controlled addresses through base64 encoding.

For instance, when a user attempts to send ETH, the malware substitutes the recipient address with the attacker’s address, which is concealed in encoded form. Users have no visual clue that anything is wrong until they check the blockchain record afterward and discover their money went to an unexpected address.

The security threat indicates increased harm to cryptocurrency owners who might not be aware their transactions are compromised until funds go missing. The modus operandi of the attack is evidence of how hackers keep coming up with new methods of pilfering digital assets.

Cryptocurrency users should be extremely cautious when verifying all transaction addresses. Developers are also advised to double-check the security of any packages they install on cryptocurrency-related projects.

Featured image from Enterprise Networking Planet, chart from TradingView