Scammers are taking advantage of the hype surrounding Pixelmon to distribute password-stealing malware, researchers are saying.
Cybersecurity researchers from MalwareHunterTeam found a fake Pixelmon site that claims to offer a playable demo of the game, but instead just distributes the Vidar virus.
Pixelmon is a non-fungible token (NFT) project. A blockchain-based metaverse game, in which players can collect, and train, their pixelated pets, and then send them into combat against other players.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Targeting NFT enthusiasts
These types of projects are extremely popular these days, as the price of collectible items in the metaverse can rise into millions. Some are joining to try and earn a quick buck, others because they want to be a part of an emerging, and potentially hugely disruptive, technology.
Whatever the reason, all of them are potential targets. This particular project has some 200,000 Twitter followers, and more than 25,000 Discord members, making it among the most highly anticipated projects in the metaverse.
The legitimate website is pixelmon.club, but MalwareHunterTeam found pixelmon[.]pw, a seemingly identical site. However, instead of offering the demo version of the game, the site is offering a file named Installer.zip, which carries an executable file.
While examining the site, the researchers found the file was corrupt and wasn’t distributing any malware (opens in new tab). Other files on the site, though, helped the researchers conclude that it was distributing Vidar.
Vidar is a password (opens in new tab)-stealing malware that fell into obscurity, as of lately, the publication claims. When executed, the malware will connect to a Telegram channel to retrieve the IP address of its C2 server.
From the C2 server, it will retrieve a configuration command, and download further modules, used to steal sensitive data from the target endpoint (opens in new tab). Given that it’s targeting NFT enthusiasts, Vidar mostly looks for data related to cryptocurrency wallets, backup codes, password files, and such.
The site is currently not distributing a working payload, but researchers suspect it is just temporary, and that it's only a matter of time before a new, working payload, is provided. NFT enthusiasts and investors are advised to be extra careful when visiting new pages and downloading content.