Crypto malware silently steals ETH, XRP, SOL from wallets

Cybersecurity researchers shared the details of a malicious software campaign targeting Ethereum, XRP and Solana.

The attack mainly targets atomic and exodus portfolio users via Node Package Manager (NPM) packages.

He then redirects transactions to addresses controlled against the striker without the owner of the portfolio.

The attack begins when the developers unconsciously install NPM packages trojanized in their projects. Researchers identified “PDF-Office” as a compromise package which seems legitimate but contains hidden malicious code.

Once installed, the package scans the system for installed cryptocurrency wallets and injects malicious code that intercepts transactions.

“Climbing in targeting”

“This last campaign represents an escalation in the current targeting of cryptocurrency users thanks to software supply chain attacks,” noted researchers in their report.

Malware can redirect transactions on several cryptocurrencies, including Ethereum (Ethn), USDT based on a tron, XRP (Xrp), and Solana (GROUND).

Reversinglabs identified the campaign thanks to their analysis of suspect NPM packages and has detected several malware indicators, including suspicious URL connections and code models corresponding to previously identified threats. Their technical examination reveals an attack in several steps which uses advanced obscure techniques to escape detection.

The infection process begins when the malicious package runs its payload targeting portfolio software installed on the system. The Code Research specifically application files in certain paths.

Once located, the malware extracts the application archives. This process is executed via a code that creates temporary directories, extracts application files, injects the malicious code, then rewind everything to appear normal.

Malware modifies the transaction management code to replace legitimate portfolio addresses with addresses controlled by the attacker using the base coding64.

For example, when a user tries to send ETH, the code replaces the recipient’s address with the address of a decoded attacker from a base chain64.

The impact of this malicious software can be tragic because the transactions seem normal in the portfolio interface while the funds are sent to the attackers.

Users have no visual indication that their transactions have been compromised until they check the blockchain transaction and that the funds discovered went to an unexpected address.