Recent findings by researchers reveal that a malicious campaign is currently targeting specific versions of the well-known cryptocurrency wallets, Exodus and Atomic. The security firm ReversingLabs reports that threat actors are intensifying their efforts against the cryptocurrency community using various methods to exploit popular crypto packages for the purpose of stealing funds.
While hijacking open-source software packages is inherently challenging due to the extensive nature of the open-source community, which often identifies tampered packages quickly, the attackers are evolving their tactics to evade detection. One newly identified method involves uploading packages to open-source repositories and applying malicious "patches" to legitimate local libraries.
The aim remains the same: to implant undetectable malicious code into reliable, widely-used libraries.
In recent weeks, researchers have discovered “numerous campaigns” employing this strategy. One notable example occurred on April 1, when a malicious entity released a package named pdf-to-office through the npm package manager, claiming to be a library for converting PDF files to Microsoft Office documents.
When executed, this package could inject harmful code into locally installed versions of Atomic Wallet and Exodus, overwriting crucial files. This effectively meant that any victim attempting to transfer cryptocurrency would have the intended recipient’s address substituted with that of the malicious actor, as outlined in the report.
This ongoing campaign bears similarities to one previously discussed by the researchers in March, emphasizing the persistent threat posed to the cryptocurrency community. Importantly, these malicious activities do not impact the official installers for Atomic Wallet and Exodus Wallet available on their respective websites.
Targeting Specific Wallet Versions
The pdf-to-office package was first detected following its update on npm on April 1 and was promptly removed after the discovery. However, just days later, the threat actor released a new iteration resembling the original. Over the course of several weeks in March and April, they made three versions of the package available, all possessing the same malicious functionality.
The harmful payload was designed to identify the presence of the atomic/resources/app.asar archive within the AppData/Local/Programs directory. If found, it indicated that the user had installed Atomic Wallet on their compromised machine.
Subsequently, the malicious code would search for the targeted archive and overwrite one of its files with a trojanized variant that altered the outgoing cryptocurrency address. As a result, any funds would be redirected to the attacker’s digital wallet.
Significantly, “the sole distinction between the legitimate file and the trojanized version was that the latter was not minified,” the report states.
Additionally, the threat actors were fixated on specific versions of Atomic Wallet. The attack’s code dynamically adjusted its target files based on the version of the wallet detected.
Moreover, there was a hazard that sought to implant a trojanized file into a legitimate Exodus wallet, focusing on the two most recent versions of Exodus.
Crucially, even if victims removed the pdf-to-office package from their systems, the software for these Web3 wallets would remain compromised. This means that the redirecting of cryptocurrency to the attackers' wallet would continue unabated.
“To entirely eradicate the malicious trojanized files associated with the Web3 wallets, users would need to remove the wallets from their systems entirely and then perform a fresh installation,” ReversingLabs concludes.
In the broader context, North Korea's Lazarus group has been systematically targeting crypto developers through npm supply chain attacks in a meticulous and sophisticated global scheme aimed at stealing both funds and sensitive data.
