Scammers are taking advantage of the hype around Pixelmon to distribute password-stealing malware, researchers say.
MalwareHunterTeam cybersecurity researchers have found a fake Pixelmon site that claims to offer a playable demo of the game, but merely distributes Vidar virus.
Pixelmon is a non-fungible token (NFT) project. A blockchain-based metaverse game, where players can collect and train their pixelated pets, then send them into battle against other players.
Targeting NFT Enthusiasts
These types of projects are extremely popular these days, as the price of collectibles in the metaverse can run into the millions. Some join to try to make a quick buck, others because they want to be part of emerging and potentially hugely disruptive technology.
Whatever the reason, all are potential targets. This particular project has some 200,000 Twitter followers and over 25,000 Discord members, making it one of the most anticipated projects in the metaverse.
The legitimate website is pixelmon.club, but MalwareHunterTeam found pixelmon[.]pw, an apparently identical site. However, instead of offering the demo version of the game, the site offers a file named Installer.zip, which contains an executable file.
Upon examining the site, researchers discovered that the file was corrupted and did not distribute any malware. Other files on the site, however, helped researchers conclude that it was distributing Vidar.
Vidar is a password-stealing malware that has fallen into obscurity lately, according to the post. Once executed, the malware will connect to a Telegram channel to retrieve the IP address of its C2 server.
From the C2 server, it will fetch a configuration command and download other modules, used to steal sensitive data from the target endpoint. Since it targets NFT enthusiasts, Vidar mainly looks for data related to cryptocurrency wallets, backup codes, password files, etc.
The site does not currently distribute a functional payload, but researchers suspect this is only temporary and it is only a matter of time before a new functional payload is provided. NFT enthusiasts and investors are advised to be extra careful when visiting new pages and downloading content.