NFT creators tricked into installing malware in highly targeted attack

Multiple digital artists and creators of non-fungible tokens (NFT) were at the center of a highly targeted malware campaign last week during which a threat actor tried to swipe their hard-earned profits.

The attacks, which began last week and continued through the weekend, were widely reported on Twitter after several victims caught on to the scheme or noticed the theft of cryptocurrency assets from their private wallets.

Be really careful out there I was dumb enough to not overlook this and open their SCR file and got my metamask swiped from à to Z all my tokens gone. They tried to access other app but my 2fa blocked them to. I’m an idiot don’t me an idiot like me and secure your shit. pic.twitter.com/gAins00taH

— FVCKRENDER (@fvckrender) June 11, 2021

Really terrible day. My Metamask got hacked and now my @withFND account is compromised. Opened a scam project proposal with a .scr file and a Microsoft Word icon. Anyone experience this before? Trying to figure out what to do

— Nicole Ruggiero (@_NicoleRuggiero) June 11, 2021

WARNING TO ALL ARTISTS
Got a DM from "John Billmate" claiming to be "Responsible for distribution of photo editor" from @SkylumSoftware

DO NOT OPEN ANY LINKS FROM THIS PERSON. This is a scam, and if you got this DM, or get a dm in the future, block it. #NFTCommunity #skylum pic.twitter.com/yQv68bRIjW

— CloudyNight.eth (@CloudyNight_k) June 11, 2021

the only time a .scr file is not mallicious is when it is indeed a screen saver file. So yeah, you shoud always ask: “Dear unknown misterious client, why did you sent me a screen saver?!” #NFT #nftart #NFTCommunity

— hallolaur (@hallolaur1) June 12, 2021

According to public reports, the threat actor used multiple identities to approach Twitter users advertising themselves as NFT creators with business deals and trick them into downloading and running a malware-laced file.

Here's the lovely conversation i had with my scammer before i got scammed. Watch out for this shit people, hopefully you don't make the same mistake i did. I've come to terms with not being the sharpest spoon in the drawer for now... pic.twitter.com/2qrH5njdfd

— Noel Rose (@PlasticTasticc) June 10, 2021

The malicious file distributed during this campaign was usually disguised as a Windows screensaver (.SCR) file.

In a report published on Tuesday, security researcher Bart Blaze analyzed a copy of one of these SCR files. Blaze said the files were configured to temporarily install a copy of the Redline malware on victims' computers.

The researcher, who shared his findings with The Record yesterday, said the malware was left without a persistence mechanism in place, meaning that it would be deleted after the first computer reboot.

Despite the malware removing itself after a first reboot, Blaze said that Redline also worked very fast and generally needed only minutes to collect and steal all of a user's personal data.

Per Blaze and per previous analysis, Redline can collect both browser credentials and cryptocurrency wallet configuration files, including browser-based wallet extensions.

Some users lost large quantities of cryptocurrency funds

Public reporting suggests that the threat actor appears to have exclusively targeted individuals who advertised themselves on Twitter as NFT creators.

NFT, which stands for non-fungible tokens, is a new blockchain-based token system that allows artists to link creations to blockchain ledgers and then sell their art (photos, videos, audio, documents, etc.) by selling an NFT token associated with that ledger entry.

NFT sales saw more than $2 billion in sales in the first quarter of 2021, and despite a recent slowdown in transactions and crackdowns from some national governments, the technology is believed to have a future and is still in high demand.

With NFT sales generating such impressive numbers, the attacker appears to have tried to get a piece of the profits made by NFT creators.

Per public reports and interviews conducted by The Record, some attacks were successful.

For example, the attacker managed to swipe more than 40,000 AXS tokens, worth around $176,000, from one single victim they infected. Others lost smaller amounts, but a loss is still a loss.

Nicole Ruggiero, a 3D artist and director, told The Record in an interview on Tuesday that she also lost "a bit of ETH" before she spotted the theft and moved to lock down accounts.

who got Hacked with the SCR file? please put your name down here with proof, or if you know someone.

— FVCKRENDER (@fvckrender) June 12, 2021

Jong Chan Han, a photographer based in South Korea, is one of the happy cases. In an interview, the artist told The Record that while they were targeted, they managed to spot the scam before they installed the malicious file.

Jong said several issues with the threat actor's public profile rang alarm bells, such as the low follower count, the lack of a professional LinkedIn or Linktree profile, the attacker's desire to pay in ETH (Ether coins) with no paperwork, and the request to install a custom app.

"That's all the red flags I caught before proceeding to next step," Jong told us. "Easy job, ridiculously high reward."

Blaze and Manifold, a company that creates blockchain products for NFT users, have both shared advice on how to secure accounts before and after such attacks.

The recent attack on NFT creators comes after similar attacks were reported earlier this year, with several cybercrime groups trying to orchestrate intrusions into accounts at Nifty Gateway, a digital art marketplace for NFT assets.