ReversingLabs’ research team has uncovered a new malicious campaign that targets specific versions of popular crypto wallets like Exodus and Atomic. According to the report, threat actors are actively targeting the cryptocurrency community by hijacking legitimate crypto packages to steal people’s funds.
Despite the challenges of tampering with open-source packages due to the vigilant OSS developer community, threat actors are continuously evolving their methods to make them harder to detect. One of the new techniques discovered by ReversingLabs involves uploading packages to OSS repositories and applying malicious ‘patches’ to local versions of trusted libraries.
In a recent campaign, a malicious entity published a package called pdf-to-office on the npm package manager. This package pretended to be a tool for converting PDF files to Microsoft Office documents. However, once executed, it injected malicious code into locally installed Atomic and Exodus wallets, swapping out the intended destination address with one controlled by the attackers.
The researchers noted that this campaign is similar to a previous one discussed in a research post from March. In both cases, the official installers of Atomic and Exodus wallets available on their websites were unaffected by the malicious campaign.
The threat actors behind this campaign released multiple versions of the malicious package over a few weeks in March and April. The payload was designed to detect the presence of specific files in the directories where the wallets were installed and overwrite them with trojanized versions to redirect funds to the attackers.
Furthermore, the attackers targeted specific versions of the wallets, adjusting their malicious code based on the wallet version found on the victim’s system. Even if the malicious package was removed, the compromised wallets would still direct funds to the attackers’ wallet, requiring a complete reinstallation to remove the trojanized files.
In a separate campaign, North Korea’s Lazarus group has been conducting sophisticated supply chain attacks targeting crypto developers via npm to steal funds and data. These ongoing threats highlight the importance of staying vigilant and taking proactive measures to protect crypto assets and data.
The post New Malicious Campaign Targets Atomic and Exodus Wallets appeared first on Cryptonews.