GlassWorm Malware Accelerates Data Theft via Solana Dead Drops and Remote Access Trojan
Recent developments in the cybersecurity landscape have unveiled a sophisticated evolution of the GlassWorm campaign. This multi-stage framework is designed to facilitate extensive data theft and deploy a remote access trojan (RAT) that masquerades as an offline version of Google Docs. The implications of this malware are significant, raising concerns about the security of software supply chains and the potential for widespread data breaches.
The Mechanics of the GlassWorm Campaign
Cybersecurity experts have identified that the GlassWorm campaign employs a range of techniques to infiltrate systems. According to Aikido security researcher Ilyas Makari, the malware logs keystrokes, dumps cookies and session tokens, captures screenshots, and communicates with a command-and-control (C2) server hidden within a Solana blockchain memo. This innovative use of blockchain technology for command and control is a notable shift in tactics.
GlassWorm has gained notoriety for its persistent nature, leveraging rogue packages published across platforms such as npm, PyPI, GitHub, and the Open VSX marketplace. The campaign often compromises project maintainers’ accounts to push malicious updates, making it particularly insidious. Notably, the attacks are designed to avoid infecting systems with a Russian locale, indicating a level of sophistication in the targeting of victims.
Data Theft and Exfiltration Techniques
The second stage of the GlassWorm payload is a robust data-theft framework capable of credential harvesting, cryptocurrency wallet exfiltration, and system profiling. The data collected is compressed into a ZIP archive and sent to an external server. This stage also includes functionality to retrieve and execute the final payload.
Once the initial data exfiltration is complete, the malware fetches additional components, including a .NET binary that targets hardware wallets and a WebSocket-based JavaScript RAT. The latter siphons web browser data and executes arbitrary code. The RAT payload is retrieved using a public Google Calendar event URL as a dead drop resolver, showcasing the malware’s innovative approach to data retrieval.
Phishing Attacks Targeting Hardware Wallets
The .NET binary exploits the Windows Management Instrumentation (WMI) infrastructure to detect USB device connections. When a Ledger or Trezor hardware wallet is plugged in, the malware displays a phishing window designed to capture the wallet’s recovery phrase. The phishing interface presents a fake configuration error for Ledger and a false “Firmware validation failed” message for Trezor, both requiring the user to input their recovery phrases.
This tactic not only disrupts legitimate processes but also ensures that the phishing window reappears if closed, increasing the likelihood of a successful capture of sensitive information. The ultimate goal is to transmit the wallet recovery phrase to a designated IP address.
Command-and-Control Functionality
The RAT employs a Distributed Hash Table (DHT) to retrieve C2 details. If this mechanism fails, the malware resorts to the Solana-based dead drop for instructions. Once connected, the RAT can execute various commands on the compromised system, including:
- Deploying a Hidden Virtual Network Computing (HVNC) module for remote desktop access.
- Launching a WebRTC module to run as a SOCKS proxy.
- Stealing data from multiple web browsers, including Google Chrome and Mozilla Firefox, while bypassing Chrome’s app-bound encryption protections.
- Sending system information back to the attackers.
- Executing JavaScript commands supplied by the attacker.
Additionally, the RAT force-installs a Google Chrome extension named Google Docs Offline, which connects to the C2 server to receive commands. This extension can gather cookies, local storage data, the Document Object Model (DOM) tree of the active tab, bookmarks, screenshots, keystrokes, clipboard content, and browser history.
Evolving Tactics and Industry Impact
The discovery of GlassWorm’s tactics coincides with a shift towards exploiting the WaterCrawl Model Context Protocol (MCP) ecosystem. This marks the campaign’s first confirmed move into this area, raising alarms about the potential for further exploitation of trusted systems. As noted by Koi security researcher Lotan Sery, the rapid growth of AI-assisted development and the inherent trust placed in MCP servers could lead to more sophisticated attacks in the future.
Developers are urged to exercise caution when installing Open VSX extensions, npm packages, and MCP servers. It is advisable to verify publisher names, scrutinize package histories, and avoid relying solely on download counts for trustworthiness. In response to the growing threat, Polish cybersecurity firm AFINE has developed an open-source Python tool named glassworm-hunter. This tool scans developer systems for payloads associated with the GlassWorm campaign without making any network requests during the scanning process.
Conclusion
The GlassWorm campaign exemplifies the evolving landscape of cybersecurity threats. With its innovative use of blockchain technology for command and control, as well as its sophisticated data exfiltration techniques, the campaign poses a significant risk to individuals and organizations alike. As the threat landscape continues to evolve, vigilance and proactive measures will be essential in safeguarding sensitive information.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
