Cryptocurrency Wallets Under Siege: Malicious Packages Steal Funds

Security researchers have issued a warning about cybercriminals using stealthy techniques to compromise and steal funds from cryptocurrency wallets. These threat actors are uploading malicious packages to popular open-source software repositories, such as the npm (Node Package Manager), to inject malicious code into trusted local libraries without raising suspicion.

One such campaign identified by ReversingLabs involves a malicious npm package named pdf-to-office, which appears to be a legitimate tool for converting PDF files into Microsoft Office documents. However, when executed, this package injects malicious code into locally-installed Atomic and Exodus crypto wallets. The code overwrites existing, non-malicious files to switch the address for outgoing crypto funds, redirecting them to a wallet controlled by the attackers.

Removing the malicious package is not sufficient to terminate the malicious activities. ReversingLabs warns that the Web3 wallets’ software would remain compromised and continue to channel crypto funds to the attackers’ wallet. The only way to completely remove the malicious trojanized files from the Web3 wallets’ software would be to remove them completely from the computer and re-install them.

Another concerning development is the distribution of cryptocurrency miner and clipper malware via SourceForge, a popular software hosting service. Threat actors have been observed distributing malicious payloads under the guise of cracked versions of legitimate applications like Microsoft Office. One such project, officepackage, appears harmless on the surface but contains links to download malicious software designed to steal cryptocurrency.

The PoisonSeed campaign is another example of how cybercriminals are leveraging compromised credentials to launch cryptocurrency seed phrase poisoning attacks. This campaign involves sending spam messages containing cryptocurrency seed phrases to potential victims, tricking them into copying and pasting the phrases into new cryptocurrency wallets. The targeted organizations include enterprise companies and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger being among the targeted entities.

The Lazarus Group, a North Korean threat actor, has also been active in targeting job seekers in the cryptocurrency sector. The group uses the ClickFix social engineering tactic to lure victims into downloading a previously undocumented Go-based backdoor called GolangGhost. This malware is designed to deliver a backdoor on Windows and macOS systems, allowing the attackers to gain unauthorized access to the victim's device. The campaign, codenamed ClickFake Interview, is part of a broader effort by the Lazarus Group to infiltrate the cryptocurrency industry and steal digital assets.

In summary, the increasing sophistication of cybercriminal tactics poses a significant threat to the security of cryptocurrency wallets. Threat actors are employing a variety of methods, including the use of malicious npm packages, compromised software hosting services, and social engineering tactics, to steal digital assets from unsuspecting users. As the cryptocurrency industry continues to grow, it is crucial for users and organizations to remain vigilant and implement robust security measures to protect against these evolving threats.