A fraudulent website mimicking popular Pixelmon NFT lures its visitors with promises of free collectibles and tokens only to have them download and install password-stealing malware.
Pixelmon is an NFT project that has garnered a significant fanbase, counting almost 200 thousand followers on Twitter and more than 25,000 Discord members. Its popularity stems from the project’s promising roadmap, which includes developing an online game in the metaverse where players can collect, train, and use Pixelmon pets to battle other players.
In this recent scam attempt, threat actors have created a copy of the original website and used it to host password-stealing malware that would drain the victims’ cryptocurrency wallets. The perpetrators paid great attention to detail and replicated the website almost identically.
However, instead of providing visitors with links to a game’s demo version, the faux Pixelmon website hosts malicious executables that deploy password-stealing malware on infected devices. Users would need to download a malicious archive that packs a Windows shortcut to be compromised.
Upon accessing the Windows shortcut (setup.lnk), the potential victims trigger the execution of a PowerShell script that downloads a System32.hta file from the fake Pixelmon website. As BleepingComputer reported, the System32.hta file retrieves a password-stealing malware called Vidar spotted in similar attacks in the past.
Running Vidar establishes a connection to a Telegram channel, retrieves a C2’s IP address, then downloads additional configuration files and modules to steal data from compromised systems. Vidar can search for relevant files on infected devices, exfiltrate them to the threat actor’s defined address, and steal passwords from apps and browsers.
This malware explicitly targets text files, crypto wallets, authentication and password files, and backups and codes. As Pixelmon is an NFT site, threat actors expect visitors to have cryptocurrency wallets installed on their systems.
To steer clear of this type of attack, users should always pay attention to the website’s URL, use only official links, avoid downloading content from unknown or untrusted websites, and use dedicated solutions to scan downloaded files for suspicious content.