Cybersecurity researchers have uncovered a sophisticated threat targeting Web3 developers. A malicious Rust package, "evm-units," disguised as an Ethereum Virtual Machine (EVM) helper tool, was found on the crates.io repository. This crate, along with a related package "uniswap-utils," managed to attract thousands of downloads before being removed.

Key Takeaways

• A malicious Rust crate named "evm-units" was distributed via crates.io.

• The crate masqueraded as an EVM unit helper tool, targeting Web3 developers.

• It delivered OS-specific malware to Windows, macOS, and Linux systems.

• The malware's execution was influenced by the presence of Qihoo 360 antivirus software.

• The packages have since been removed from the repository.

Stealthy Malware Deployment

The "evm-units" crate, uploaded by a user named "ablerust," was designed to be stealthy. Upon execution, it checks the victim's operating system and the presence of Qihoo 360 antivirus. Based on these factors, it downloads a payload, saves it to the system's temporary directory, and executes it silently. The package even returned a seemingly harmless Ethereum version number to avoid suspicion.

OS-Specific Payload Execution

The malware exhibited distinct behaviors across different operating systems:

• Linux: Downloads a script, saves it as /tmp/init, and runs it in the background using nohup.

• macOS: Downloads a file named init and executes it in the background via osascript and nohup.

• Windows: Downloads a PowerShell script (init.ps1) to the temp directory. It checks for the qhsafetray.exe process (associated with 360 Total Security). If the antivirus is not detected, it uses a Visual Basic Script wrapper to run PowerShell hidden. If detected, it alters execution to directly invoke PowerShell.

Targeting Web3 Ecosystem

The inclusion of "evm" and "uniswap" in the package names strongly suggests the threat actor aimed to compromise developers within the Web3 space. The "evm-units" crate was listed as a dependency in the "uniswap-utils" package, meaning the malicious code could execute automatically when the latter was initialized, amplifying its reach. The explicit check for Qihoo 360 antivirus suggests a potential focus on users in China, a significant market for cryptocurrency activity.

Sources

• Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems, The Hacker News.