Podcasts
Research Saturday
Ep 376
Research Saturday 5.10.25
Ep 376 | 5.10.25

Hijacking wallets with malicious patches.

Show Notes
Transcript

[ Music ]

Lucija Valentic: This malicious npm package puts malicious payload inside other locally installed software, Atomic Wallet and Exodus, in this case, so malicious payload is still there. That means once you, you know, you find out that that package is maybe malicious, you remove it, but the malicious payload would stay still in Atomic Wallet software and in Exodus Wallet software, so you would still be left with malicious payload even if you delete malicious npm package. [ Music ]

 

Dave Bittner: That's Lucija Valentic, software threat researcher from ReversingLabs. The research we're discussing today is titled "Atomic and Exodus crypto wallets targeted in malicious npm campaign." [ Music ]

 

Lucija Valentic: In the last couple of months on npm, there are a lot of packages that are malicious npm packages that are targeting crypto community. So we are paying close attention to those kind of packages. This package, in particular, was marked as suspicious by our ML model. It was also marked as suspicious because it had JavaScript-obfuscated file inside. So, of course, we decided to check it because, you know, we had a couple of different channels pointing us to the suspicion of the package, and it never hurts to check files that have JavaScript obfuscated, of course.

 

Dave Bittner: Yeah. Well, as is often the case, the name "PDF-to-Office" sounds harmless. I suppose this is a common tactic of attackers using these sorts of useful names.

 

Lucija Valentic: Yes, of course. There are usually -- there are a couple of things they use. They use cybersquatting, so they take some legitimate npm package name and they just add a few letters. Sometimes they use legitimate npm package name, and then they, you know, make wordplay on that name. And sometimes they just think of some names themselves that they think developers could use, could download, that they think could be useful to developers. So, of course, developers are more keen to download it.

 

Dave Bittner: Well, let's walk through this together. How would someone find themselves with this package installed, and what happens after it is?

 

Lucija Valentic: So this package, it's very simple. It doesn't try to mimic anything. It has very few files. It only tried to pass by a package that -- transfers to -- that converts PDF files to documents, to Office files. But this package, once installed, actually does, of course, malicious things. It checks if Atomic Wallet or if Exodus Wallet is installed on victim's computer. And then if it is, it overwrites legitimate files inside with Trojanized versions. And the legitimate files that are overwritten are used -- for example, if you are using Atomic Wallet or Exodus Wallet and you are sending crypto funds to some other users, functions in those legitimate files that are overwritten are used. So, of course, Trojanized versions have the same functionality as legitimate files, but few code lines are added. Malicious payload that is added just switches out outgoing address of a crypto fund. For -- of course, that results in malicious actors channeling crypto funds that victim would send to someone else to his own crypto wallet.

 

Dave Bittner: What about the persistence here? How did they stay on the victim's machine even after that npm package was uninstalled?

 

Lucija Valentic: So that is very interesting because, usually, we see npm packages, malicious ones, that have download payloads or are infostealers. So they have malicious payloads inside them. This malicious npm package puts malicious payload inside other locally installed software, Atomic Wallet and Exodus, in this case. So malicious payload is still there. So that means -- which is a little bit scary -- that means once you, you know, find out that that package is maybe malicious, you remove it. But the malicious payload would stay still in Atomic Wallet software and Exodus Wallet software. So you would still be left with malicious payload even if you delete a malicious npm package.

 

Dave Bittner: So it's actually modifying the Atomic or Exodus Wallets themselves?

 

Lucija Valentic: So I just want to clarify that Atomic Wallet and Exodus Wallet, legitimate software installers on legitimate sites, were not hijacked, but locally installed software were being hijacked.

 

Dave Bittner: I see. Are there any obfuscation or anti-analysis techniques that are used to hide the intent of the code?

 

Lucija Valentic: Yes, of course. So, usually, malicious actors really like to use JavaScript obfuscator. Of course, it doesn't mean if some file is obfuscated with JavaScript obfuscator, it's malicious all of a sudden, but it doesn't hurt to check. So this malicious payload in npm package was obfuscated with JavaScript obfuscator. I think it was obfuscated with very simple version because it was very easy to deobfuscate it. It also had malicious payload that would be injected into legitimate files, was obfuscated or particularly more, better say, encoded with Base64. It was very easily obfuscated, but it was still, you know, a little bit hidden.

 

Dave Bittner: We'll be right back. Let's talk about the targeting and the scope here. Were they going after specific operating systems or versions of the wallet, or even user configurations?

 

Lucija Valentic: So they targeted, particularly, at that time, the last two versions of Atomic Wallet and the latest version, at the time, of Exodus Wallet. Because between a few versions of Atomic Wallet, install files are different. They have different names. So they targeted particularly those two -- the latest versions they had, because they probably thought that anyone who used Atomic Wallet would update it soon or would have the latest version. So they wanted to make sure that they catch the most people they can with their malicious packages.

 

Dave Bittner: Yeah, that's interesting. Was there any particular geographic distribution in terms of who they're going after, any countries that they focused on?

 

Lucija Valentic: Not particular, they just checked if the user had installed Atomic Wallet or Exodus Wallet. They didn't check, you know, geographic IP addresses or anything, at least in these packages. Maybe there are some out there that they do that.

 

Dave Bittner: I see. Any indication as to who might be behind this attack?

 

Lucija Valentic: Well, we are not quite sure because there is no other metadata or nothing that is connected with those packages that we found. So we cannot point to, you know, anything, but probably there are, you know, threat actors, threat groups that are going for crypto community lately. I know that North Korea is, you know, most likely to go after crypto community, but I'm not saying that, in this case, is connected with it. Maybe some threat actor that, you know, it's a lone wolf and he's just trying to get crypto funds taken away.

 

Dave Bittner: So it seems to be likely that this is financially motivated?

 

Lucija Valentic: Of course. Because I mean, like with any crypto attack, they are trying to get funds. They're trying to steal funds in a very secretive way, very persistent way. So, yeah.

 

Dave Bittner: Well, let's talk about disclosure here. I mean, once you confirmed this malicious behavior, what sort of steps did you take to alert the broader community?

 

Lucija Valentic: So, of course, we reported it to the npm managers. But before they could take the package down, it was probably taken down by the author of the malicious package because there is no security holding version, so probably it was just taken down. We also have Spectre Assure community page where we have all repos, public repositories, and packages. And, of course, there you can see what package is malicious and what package is goodware. And, of course, we have marked that package as malicious on that site.

 

Dave Bittner: Looking at the big picture here, what does this particular incident say about supply chain security in an open-source ecosystem like npm?

 

Lucija Valentic: Of course, it only solidifies the threat to crypto community because we had -- in the end of the last year, we had a couple of big crypto community attacks. Some big legitimate crypto packages were hijacked, or legitimate packages were hijacked and were injected with malicious payloads that targeted crypto community. So it only solidifies that crypto community is obviously very vulnerable now, and everyone is trying to steal funds. But it also highlights the idea that malicious actors are always trying to find new ways to hide malware, to inject malicious payloads somewhere. They also, you know, they were trying to -- before they were trying to hijack some packages, but now they found an easier way because this time, you know, they don't have to hijack anything. They just need to inject malicious payload in already installed npm packages, which is much easier. And it's a little bit harder to detect and a bit more persistent. So, yes.

 

Dave Bittner: What are your recommendations then for if someone's a user of Atomic or Exodus Wallets, what sort of things should they look out for?

 

Lucija Valentic: I mean, like, basically, if you're using any -- not just Atomic Wallet or Exodus Wallet, but if you're using any crypto-related software or crypto-related package, I think you should be on the lookout. I think you should be aware that there are malicious npm packages or, you know, malicious threat actors targeting you because crypto communities -- especially on npm, at least -- are targeted now. But also, you as a developer, you as a user of Atomic Wallet and Exodus, in this case, if you have the versions that are affected and accidentally installed malicious package, this particular -- you should remove malicious package and you should reinstall those versions of Atomic Wallet and Exodus Wallet as well.

 

Dave Bittner: Are there any improvements that you'd like to see from package managers like npm to help defend against this sort of thing in the future?

 

Lucija Valentic: I think maybe work. I'm not sure if they're doing it already, but maybe work closely with some threat researchers on taking down malicious npm packages or [inaudible 00:12:57] packages or anything. I'm not sure who is doing what, but I think that would help in making community more healthy and more safe. [ Music ]

 

Dave Bittner: Our thanks to Lucija Valentic from ReversingLabs for joining us. The research is titled "Atomic and Exodus crypto wallets targeted in malicious npm campaign." We'll have a link in the show notes. And that's Research Saturday brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.