A bogus Pixelmon NFT site tempts visitors with free tokens and collectables while infecting them with spyware that steals their cryptocurrency wallets.
Pixelmon is a popular NFT project with plans to create an online metaverse game where users can gather, train, and battle other players with pixelmon pets.
The project has attracted a lot of attention, with nearly 200,000 Twitter followers and over 25,000 Discord members.
Threat actors have replicated the original pixelmon.club website and built a fake version at pixelmon[.]pw to deliver malware to take advantage of this interest.
Instead of providing a demo of the project's game, the malicious site provides executables that install password-stealing malware on a device.
The website is selling a package named Installer.zip that contains a faulty executable that does not infect customers with malware.
However, MalwareHunterTeam, which was the first to identify this malicious site, detected other dangerous files transmitted by it, allowing to see what malware it was spreading. Setup.zip, which contains the setup.lnk file, is one of the files sent by this fraudulent site. Setup.lnk is a Windows shortcut that runs a PowerShell command to download pixelmon[.]pw's system32.hta file.
When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is no longer widely used. Security researcher Fumik0_, who has previously examined this malware family, confirmed this.
When launched, the Vidar sample from the threat actor connects to a Telegram channel and retrieves the IP address of a malware's command and control server. The malware will then obtain a configuration instruction from the C2 and download further modules to steal data from the afflicted device.
Vidar malware may steal passwords from browsers and apps, as well as scan a computer for files with certain names, which it subsequently sends to the threat actor.
The C2 commands the malware to seek for and steal numerous files, including text files, cryptocurrency wallets, backups, codes, password files, and authentication files, as seen in the malware setup below.
Because this is an NFT site, visitors are expected to have bitcoin wallets installed on their PCs.
As a result, threat actors focus on looking for and stealing cryptocurrency-related files.
While the site is presently not distributing a functioning payload, BleepingComputer has observed evidence that the threat actors have been modifying the site in recent days, as payloads that were available two days ago are no longer available.
One can expect this campaign to continue to be active, and working threats to be added soon, based on the site's activity.
Due to the high number of fraudsters attempting to steal the bitcoin from NFT projects, one should always double-check that the URL they are viewing is indeed associated with their interested project.
