#SecureYourAssets
wallets
Once the malicious package is installed, it begins scanning the device for installed cryptocurrency wallets, especially Atomic and Exodus. If found, the software extracts the application files to temporary folders, then injects malicious code into them, and repackages the files in a way that makes them appear intact and unmodified.
Replacing addresses and transferring funds to the attackers
The danger of this attack lies in its ability to modify the code for sending currencies within the wallet, so that the recipient's address is replaced with another address owned by the attacker, achieved using base64 encoding to hide the address within the code.
The transaction appears normal in the wallet interface, while the funds go to a malicious address without the user's knowledge.
No visible indicators of compromise
One of the most concerning aspects is that the user does not notice any change in the user interface or during the transaction execution. No warning messages or signs of manipulation appear.
The issue is only discovered when reviewing the transaction details on the blockchain, revealing that the funds were sent to an unknown address.