Fake Pixelmon NFT site infects you with password-stealing malware

/in


Pixelmon

A fake Pixelmon NFT site entices fans with free tokens and collectibles while infecting them with malware that steals their cryptocurrency wallets.

Pixelmon is a popular NFT project whose roadmap includes creating an online metaverse game where you can collect, train, and battle other players using pixelmon pets.

With close to 200,000 Twitter followers and over 25,000 Discord members, the project has garnered a lot of interest.

Impersonating the Pixelmon project

To take advantage of this interest, threat actors have copied the legitimate pixelmon.club website and created a fake version at pixelmon[.]pw to distribute malware.

This site is almost a replica of the legitimate site, but instead of offering a demo of the project’s game, the malicious site offers executables that install password-stealing malware on a device.

Fake Pixelmon website
Fake Pixelmon website
Source: BleepingComputer

The site is offering a file called Installer.zip that contains an executable that appears to be corrupt and does not infect users with any malware.

However, MalwareHunterTeam, who first discovered this malicious site, found other malicious files distributed by the site that allowed us to see what malware it was spreading.

One of the files distributed by this malicious site is setup.zip, which contains the setup.lnk file. Setup.lnk is a Windows shortcut that will execute a PowerShell command to download a system32.hta file from pixelmon[.]pw.

Setup.lnk contents
Setup.lnk contents
Source: BleepingComputer

When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is not as commonly used as it was in the past. This was confirmed by security researcher Fumik0_, who has previously analyzed this malware family.

When executed, the threat actor’s Vidar sample will connect to a Telegram channel and retrieve the IP address of a malware’s command and control server.

Telegram channel containing C2 IP address
Telegram channel containing C2 IP address
Source: BleepingComputer

The malware will then retrieve a configuration command from the C2 and download further modules to be used to steal data from the infected device.

The Vidar malware can steal passwords from browsers and applications and search a computer for…

Source…