Cripto Malware stealthily steals ET ETH, XRP, wallet salt

Researchers with cyber-cibertia share details on the Campaign of Malimeter Software targeting Etherum, XRP and Solana.

The attack mainly targets atomic and e-exodus users through a compromised package package (NPM).

It then redirects transactions to addresses under attackers without knowledge of the wallet owner.

The attack begins when developers unconsciously set trojanized NPM packages into their projects. Researchers identified “PDF-TO-Office” as a compromised package that appears legitimate, but contains a hidden malware.

Once installed, the package scans a system for installed cryptocurrency wallets and injects malicious code that intercept transactions.

‘Escalation in targeting’

“This latest campaign represents escalation in the current targeting of cryptocurrency users through the software chain attacks,” researchers noticed in their report.

Malware can redirect transactions in several criminal products including Etherum (El), XRP based on Tron-A (XRP) and Solana (Salt).

The reversinglabs identified the campaign with its analysis of suspicious NPM packages and discovered more misdeeds of malicious behavior, including suspicious links for links and codes of URL and codes that matched previously identified threats. Their technical inspection reveals a multi-phase attack used by advanced techniques for detection avoidance.

The infection process begins when the malicious package executes its targeting software via the system installed on the system. The code specifically searches for app files on certain paths.

Once accommodated, malware extraches application archive. This process is executed through a code that creates temporary directories, extracts app files, inject malicious code, and then everything prevents everything to appear normally.

Malware modifies transaction handling code to replace legitimate wallet addresses with those who control the attacker using Base64 encoding.

For example, when the user tries to send ETH, when it replaces the recipient’s address with the attacker’s address decoded from the 64 series base.

The impact of this malware can be tragic because transactions look normal in the wallet interface, while the funds are sent to attackers.

Users do not have visual indications that their transactions are endangered until they check that Blocckain transaction and reveal funds and disappeared to an unexpected address.