Fake Solana Wallet Security Alert

• Cyberpunks are Airdropping NFTs to Solana cryptocurrency users under the guise of being notified of a new Phantom security update.
• Victims are also advised to change their passwords on all sites they use, focusing on cryptocurrency trading platforms.

Hackers are airdropping nonfungible tokens (NFTs) to Solana cryptocurrency users in disguise for notification of a new phantom security update with intention of stealing their digital assets. The hackers claim to be from the phantom team and use NFTs titled PHANTOMUPDATE.COM’ or ‘UPDATEPHANTOM.COM’ this is according to the bleeping computer.

Upon opening the NFT, users are told alerted of the new system update that has been issued for the Phantom wallet and can be downloaded by using the enclosed link or the listed website. Visit www.updatePhantom.com to get the latest security update.

The malicious software attack began two weeks ago. The swindlers intentionally add urgency and tension to the users by displaying the message.

Phantom requires all users to update their wallets. This must be done as soon as possible, failing to do so, may result in a loss of funds due to hackers exploiting the Solana network.

Reads the warning in the fake Phantom update NFT.

When visiting this webpage from any device (desktop or mobile), the site automatically downloads a Windows batch file named Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox. Previous campaigns were downloading executables named Phantom_Update_2022-10-04.exe.

When the batch file is initiated, it will check if it is running with administrator privileges and, if not, show a Windows UAC prompt asking for permissions.

If the UAC prompt is accepted, a PowerShell script will be launched that decrypts further commands to execute in Windows.

Gimme Gang! ✨
Security Alert! 🚨

We were alarmed of a FAKE FREE MINT PROJECT on SOLANA related to a GAMBLING PROJECT.

PLEASE CHECK ALL OFFICIAL LINKS AND SOCIALS OF ALL THREE FOUNDERS FOR ANY MAJOR ANNOUNCEMENT OF THIS SCALE!

BE CAREFUL EVERYONE! ❤️

— gimme (@nft_gimme) October 10, 2022

Ultimately, this will lead to a windll32.exe executable [VirusTotal] being downloaded from GitHub and executed from the C:\Users\<username>\AppData\Local folder.

According to VirusTotal, the windll32.exe file is a password-stealing malware that attempts to steal browser information, such as history, cookies, and passwords, as well as SSH keys and other information.

MarsStealer is an information-stealing malware launched in 2020 and steals data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.

The goal of this campaign is likely to steal cryptocurrency wallets and passwords that would allow the threat actors to steal all crypto funds and compromise other accounts belonging to the victim.

Victims who installed the fake Phantom security update should immediately scan their computer with an antivirus program and then transfer crypto funds and assets from their existing Phantom wallet to a new one.

Victims are also advised to change their passwords on all sites they use, focusing on cryptocurrency trading platforms, online wallets, bank accounts, email, or other sensitive platforms.