{"id":18283,"date":"2022-02-14T14:40:03","date_gmt":"2022-02-14T22:40:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/02\/14\/news-12016\/"},"modified":"2022-02-14T14:40:03","modified_gmt":"2022-02-14T22:40:03","slug":"news-12016","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/14\/news-12016\/","title":{"rendered":"NFT Lure Used to Distribute BitRAT"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Threat Research Report<\/h2>\n

Affected Platforms: <\/b>Windows
Impacted Users: <\/b>Windows users
Impact:<\/b> Compromised machines are under the control of the threat actor
Severity Level: <\/b>Medium<\/p>\n

Despite being around for many years, blockchain captured the zeitgeist of the digital movement with the advent of Bitcoin. Digital currencies, however, are not the only application of this technology. Non-fungible tokens (NFT) entered the popular lexicon in 2021. An NFT is a digital token that uses blockchain to verify the authenticity of digital content and ownership, such as art, music, collectibles, and in-video-game items.<\/p>\n

The first major NFT splash came in March 2021, when the digital work of art \u201cEverydays \u2013 The First 5000 Days\u201d created by the digital artist \u201cBeeple\u201d was auctioned and sold for a record-breaking $69 million. Later that month, the NFT of the very first tweet posted by then-Twitter CEO Jack Dorsey was sold for $2.9 million. NFTs even gave new life to a popular 10-year-old internet meme, \u201cNyan Cat.\u201d The original creator remastered the GIF and sold it as an NFT for 10 Ethereum ($590,000).<\/p>\n

Exclusive possession of unique assets tends to drive the desire for ownership\u2014and the price\u2014sky-high. And predictably, online criminals are there trying to exploit this activity.<\/p>\n

FortiGuard Labs recently came across a peculiar-looking Excel spreadsheet that seemingly included NFT-related information. But instead, it downloads and installs the BitRAT malware in the background. This blog describes how this attack works.<\/p>\n

Strange looking Excel macro file (XLSM) and target<\/h2>\n

The original source of the malicious Excel file has not been identified. However, the file provides some clues as to its origin and target. First, the XLSM is named \u201cNFT_Items.xlsm\u201d. Second, the file has two workbooks, one of which is in Hebrew. That workbook contains what appears to be legitimate Discord rooms that deal with NFTs. It also includes the names of NFTs, forecasts for potential investment returns (hyped, solid, and 50\/50), and selling quantities. Finally, like many similar recent attacks, this attack abuses Discord by using it to host malicious files. These points provide enough evidence to conclude that the attacker likely sent a message to NFT enthusiasts in Israel to entice them to download and open the malicious XLSM.<\/p>\n<\/p><\/div>\n