Hackers are airdropping NFTs to Solana cryptocurrency owners pretending to be alerts for a new Phantom security update that lead to the installation of password-stealing malware and the theft of cryptocurrency wallets. This ongoing attack started two weeks ago, with NFTs titled ‘PHANTOMUPDATE.COM’ or ‘UPDATEPHANTOM.COM’ sent that claim to be warnings from the developers of Phantom. When opening the NFTs, wallet owners are told that a new security update has been released and that they should click the enclosed link or visit the site to download and install it. “Phantom requires all users to update their wallets. This must be done as soon as possible,” reads the warning in the fake Phantom update NFT. “Failing to do so, may result in loss of funds due to hackers exploiting the Solana network. Visit www.updatePhantom.com to get the latest security update.” When visiting these sites from any device (desktop or mobile), the site automatically downloads a Windows batch file named Phantom_Update_2022-10-08.bat [VirusTotal] from DropBox. Previous campaigns were downloading executables named Phantom_Update_2022-10-04.exe. When the batch file is launched, it will check if it is running with Administrator privileges and, if not, show a Windows UAC prompt asking for permissions.
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.