A malicious Rust crate (package) named evm-units, aimed at stealing cryptocurrency from unsuspecting developers, has been pulled from the official public package registry for the Rust programming language, but not before having been downloaded 7257 times.
Another package (uniswap-utils) by the same author appeared to be benign, but depends on evm-units and calls it in one of its files. That package has been removed as well, after having been downloaded 7441 times, the crates.io team shared. The packages’ author has had its account disabled.
The packages’ covert actions
The two malicious packages were flagged by Socket threat researchers, who analyzed it and concluded that evm-units impersonated an EVM version helper (i.e., a tool that helps developers select, manage, or reason about different versions of the Ethereum Virtual Machine when compiling or analyzing smart contracts).
“The package appears to return the Ethereum version number, so the victim is none the wiser,” Socket threat researcher Olivia Brown explained.
In the background, though, the package also: decodes an URL encoded in it, checks the underlying OS (Linux, macOS or Windows), and downloads and saves an OS-specific script/file in the system’s temporary folder, and runs it.
“There is no window, no output, no logs printed, so the victim never sees anything,” Brown notes. The script cab run any commands or install a subsequent payload, “enabling silent second-stage infection.”
Before running the script on Windows machines, the malware checks for the presence of the 360 Total Security antivirus by Chinese company Qihoo 360. Depending on its presence or absence, the malware launches the script by either directly calling Powershell or through a VBScript that runs a hidden Powershell script.
Likely targets
“This focus on Qihoo 360 is a rare, explicit, China-focused targeting indicator, because it is a leading Chinese internet company. It fits the crypto-theft profile, as Asia is one of the largest global markets for retail cryptocurrency activity,” Brown pointed out.
Add to this the fact that the two crates impersonate an EVM utility and a Uniswap helper library (for working with Uniswap pool addresses on several chains), and the targets seem obvious: developers working on decentralized applications.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
