Tuesday, January 14, 2025
HomeCryptocurrency hackMalicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Published on

Malicious packages “solanacore,” “solana login,” and “walletcore-gen” on npmjs target Solana developers with Windows trojans and malware for keylogging and data exfiltration via Slack webhooks and ImgBB APIs.

These recently discovered crypto-stealers exhibit unusual transparency, openly revealing their malicious intent within their code, which stark contrast to the typical obfuscation techniques employed by such malware suggests a unique and potentially less sophisticated threat actor with a distinct approach to developing and deploying these malicious packages.

An npm user published three distinct packages (solanacore, solana-login, and walletcore-gen) this month, each with identical file structures and code, which collectively downloaded over 1,900 times, likely representing an attempt to artificially inflate download counts and potentially manipulate npm’s popularity rankings.

file structure of a version of the "solanacore" package
file structure of a version of the “solanacore” package

The installation package includes scripts with malicious intent that trigger the execution of a trojan disguised as a web browser executable upon successful installation and exploiting the postinstall command for immediate execution. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The lack of obfuscation in these packages could be a deliberate attempt to evade threat detection by avoiding triggers associated with heavy obfuscation.

These packages might serve as a testbed for future attacks, mirroring past trends where attackers initially deploy benign packages to assess the environment before releasing malicious payloads.

The PowerShell script “intel_keyboard_driver.ps1” within these packages is designed to capture and record user keystrokes, as this information is then dynamically stored and appended to a locally created text file named “ok.txt.”

collected keystrokes are saved to an "ok.txt."
collected keystrokes are saved to an “ok.txt.”

The keylogging script exploits a Slack webhook by sending a base64-encoded URL to the webhook that points to the “ok.txt” file, which contains the logged keystrokes, effectively exfiltrating sensitive data to a remote server via the Slack platform.

The “accessibility” PowerShell script captures screenshots of the target system and then utilizes the ImgBB image upload API to exfiltrate these screenshots to a remote server, compromising system security. 

Java Script
Java Script

They utilize Discord Webhooks for data exfiltration, conspicuously referencing the “LOCKBITAI” ransomware group within their code, as the use of this identifier alongside unsophisticated techniques suggests a low probability of genuine affiliation with the LockBit group.

According to Sonatype, malicious npm packages, likely targeting Solana users, were observed distributing plaintext passwords and potentially compromising compromised hosts that should be immediately removed and affected systems thoroughly remediated.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...