A non-fungible token (NFT) is a record on a blockchain associated with a digital or physical asset—usually a digital file such as a photo, video, or audio. An NFT’s ownership is recorded in the blockchain, and it can be sold and traded. NFTs differ from cryptocurrencies, which are mostly fungible, in that NFTs are unique and non-substitutable. The NFT market is booming, with trading volume exploding by over 20,000 percent from 2020 to 2021. Cybercriminals have rushed to exploit this trend, which the Morphisec Threat Labs team has previously examined in a white paper. The Threat Labs team now has fresh research on the crypto and NFT malware NFT-001, which first surfaced in November 2020.
The NFT-001 attack sequence typically includes the following steps:
- Attackers target users in crypto and NFT communities on Discord and other forums
- The victim receives a private phishing message related to an NFT or financial opportunity. The message includes a link to a fake website and malicious app that promises an improved user experience
- The downloaded malware unpacks a remote access trojan (RAT) that is used to steal browsing data, install a keylogger, and other surveillance functionalities
- The attacker then uses the data for identity theft and to steal the victim’s wallet and other possessions The threat actor has now switched from the Babadeda crypter to a new staged downloader while using the same delivery infrastructure as before. The new downloader adds increased defense evasion abilities to this malware.