Alert in Solana: Malware uses the blockchain network to conceal its attacks

A recent report warns that malware known as GlassWorm is using the efficiency of the Solana network to establish immutable and low-cost command and control channels.

The high-performance architecture of the Solana network has transformed the decentralized finance landscape, but its efficiency has also attracted the interest of advanced threat actors. 

The discovery of the campaign GlassWorm by cybersecurity analysts Aikido SecurityThis marks a milestone in cybersecurity: it is one of the first documented cases where the native functions of a public blockchain are used as a "dead drop" system for malware. 

Unlike traditional attacks that seek to compromise a protocol, GlassWorm leverages the robustness and immutability of Solana as a transport layer for its command and control (C2) instructions. In simpler terms, the Solana network It has not been hacked or compromised in its basic security.In reality, what is happening is that cybercriminals are abusing its characteristics—low cost, high speed, and the fact that information cannot be censored or deleted—to hide their viruses.

Cybercriminals have found in the speed of confirmation and censorship resistance of this blockchain an ideal environment to deploy a malware infrastructure that is virtually impossible to take down using conventional computer security methods.

How does malware leverage blockchain to remain hidden?

GlassWorm employs an ingenious strategy based on the inner workings of the Solana network to transmit its commands without raising suspicion. According to researchers, the malware leverages the ability to add metadata within each transaction and uses it as a covert channel to communicate with its command and control server. Instead of serving the original purpose of the notes field, which is to record information about transfers, the malware transforms it into a discreet container of IP addresses and links to servers where it stores its payloads.

When a computer is compromised, the malicious code connects to the blockchain and executes requests through the method getSignaturesForAddressThis allows the attacker to track a wallet previously configured. The metadata from recent transactions acts as encrypted messages containing updated instructions, enabling the system to continuously receive new commands without relying on an exposed central server.

In this context, the researchers explain The use of Solana is driven by efficiency. Its virtually nonexistent transaction costs allow operators to constantly modify their infrastructure with minimal expense. In practical terms, each update costs a fraction of a cent, enabling them to rotate servers and addresses as often as necessary to avoid blocking. This ability to constantly change gives cybercriminals an advantage over traditional defense mechanisms based on blacklists and DNS filters.

Furthermore, GlassWorm maintains its autonomy through a backup network comprised of several public RPC access points. As long as the Solana network remains operational, the malware will retain an open channel to communicate and reinforce its persistence within the infected system. 

In short, experts warn that this design makes GlassWorm a difficult threat to disrupt, capable of adapting quickly and leveraging the blockchain infrastructure itself as an operational refuge.

The weakest link in Web3: Blockchain is not the problem

Finally, although GlassWorm's malicious code resides latently on the blockchain, the actual damage occurs outside of it, by deceiving the user. The attackers are using the Phishing to create ecosystems of fake websites or browser extensions that appear legitimate with the aim of deceiving the most trusting users. 

When a victim interacts with these fake sites, the page silently "calls" the Solana network, retrieves pieces of code hidden in transaction metadata, arms the virus in the user's computer memory, and executes the attack.

According to researchers, the GlassWorm attack process typically results in two types of incidents: the theft of seed phrases This includes attacks on wallets like Phantom or the real-time alteration of sending addresses. In the first case, users would unknowingly be granting full access to their digital wallets. In the second, attackers can alter destination addresses during a transaction without the user noticing.

With this, the researchers emphasize that the technical robustness of a network like Solana is not enough on its own to protect digital assets. True defense lies in the user's daily habits, their ability to verify sources, be wary of suspicious links, and maintain constant vigilance in any interaction within the Web3 environment.