""It logs keystrokes, dumps cookies and session tokens, captures screenshots, and takes commands from a C2 server hidden in a Solana blockchain memo," Aikido security researcher Ilyas Makari said in a report published last week."
"The attacks are careful enough to avoid infecting systems with a Russian locale and use Solana transactions as a dead drop resolver to fetch the command-and-control (C2) server and download operating system-specific payloads."
"The stage two payload is a data-theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities. The collected data is compressed into a ZIP archive and exfiltrated to an external server."
"The .NET binary leverages the Windows Management Instrumentation (WMI) infrastructure to detect USB device connections and displays a phishing window when a Ledger or Trez."
The GlassWorm campaign has evolved to deliver a multi-stage framework for data theft and remote access trojan installation. It uses rogue packages from npm, PyPI, GitHub, and Open VSX. The campaign avoids infecting Russian systems and utilizes Solana blockchain transactions for command-and-control communication. The second stage includes credential harvesting and cryptocurrency wallet exfiltration. Data is compressed and sent to an external server. Additional components include a .NET binary for hardware wallet phishing and a JavaScript RAT for browser data siphoning.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]