Npm Malware Targets Atomic And Exodus Wallets To Hijack Crypto Transfers

TL;DR – ReversingLabs has identified a malicious npm package, “pdf-to-office,” that targets Atomic and Exodus crypto wallet users by silently patching section package to hijack transactions. The malware swaps recipient wallet addresses and remains persistent moreover aft removal.

Cybersecurity patient ReversingLabs (RL) has uncovered a caller maneuver threat actors are employing to target cryptocurrency users. Their latest research, shared pinch Hackread.com, reveals that cybercriminals are leveraging nan npm (Node Package Manager) web to inject malicious codification into locally installed cryptocurrency wallet software, specifically targeting Atomic Wallet and Exodus.

This onslaught involves nan malicious patching of morganatic package files, allowing attackers to intercept cryptocurrency transfers by silently swapping recipient wallet addresses.

Fake Package and Malicious Injection

RL researchers discovered a malicious npm package named “pdf-to-office” that falsely appeared arsenic a inferior for converting PDF files to Microsoft Office documents. However, upon execution, it deployed a malicious payload to modify cardinal files wrong Atomic Wallet and Exodus installation directories.

Malicious Package (Source: RevesingLabs)

The malware overwrites morganatic files pinch trojanised versions, secretly altering nan destination reside for outgoing cryptocurrency transactions. This allows attackers to stay undetected for an extended period, arsenic nan wallet’s halfway functionality appears unchanged to nan user.

ReversingLabs’ automated Spectra Assure level flagged this package arsenic suspicious because it exhibited behaviours accordant pinch erstwhile npm-based malware campaigns. An obfuscated Javascript record was besides recovered wrong nan package, revealing malicious intent.

The payload targeted nan "atomic/resources/app.asar" archive successful Atomic Wallet‘s directory and nan "src/app/ui/index.js" record successful Exodus.

“Atomic Wallets weren’t nan only target of this malicious package, either. RL besides detected a malicious payload that tried to inject a trojanised record wrong a legitimate, locally-installed Exodus wallet arsenic well,” wrote ReversingLabs’ Software Threat Researcher Lucija Valentić successful a blog post.

The attackers targeted circumstantial Atomic Wallet versions (2.91.5 and 2.90.6), indicating sophistication successful their targeting. The malicious files were named accordingly, overwriting nan correct record sloppy of nan installed version.

“We besides observed what appears to beryllium an effort by nan malicious actors to screen their tracks and thwart incident consequence efforts, aliases simply to exfiltrate moreover much information,” nan interrogator explained.

Persistence and Impact

A peculiarly problematic portion of this run is its persistence. Research indicates that moreover if nan malicious “pdf-to-office” package is removed from nan victim’s system, nan compromised cryptocurrency wallet package remains infected.

Moreover, nan trojanised files wrong Atomic Wallet and Exodus proceed to operate, silently redirecting costs to nan attackers’ Web3 wallet. The only effective measurement to destruct nan threat is simply a complete removal and re-installation of nan affected wallet software.

The bully news is that nan charismatic Atomic Wallet and Exodus Wallet installers stay unaffected, but nan discuss occurs aft nan malicious “pdf-to-office” package is installed and executed.

It is worthy noting that this run is akin to a erstwhile 1 RL reported successful precocious March, which utilized 2 malicious npm packages, "ethers-provider2" and "ethers-providerz" to present a payload that patched nan morganatic “ethers” package to service a reverse shell.

The cryptocurrency assemblage is, therefore, facing expanding risks from package proviso concatenation attacks. These attacks are becoming much blase and frequency-driven, requiring accrued vigilance from package producers and end-user organizations.