Ddos 
A seemingly innocent utility for Ethereum developers has been unmasked as a sophisticated stealth loader. The Socket Threat Research Team recently discovered a malicious Rust package named evm-units, written by the user ablerust, which had garnered over 7,000 all-time downloads before being removed. The package, which was live on the Crates.io repository for eight months, masqueraded as a tool for handling Ethereum Virtual Machine (EVM) units but concealed a dangerous payload designed to execute silently on victim machines.
The malware’s primary deception lies in its ability to hide in plain sight. To a casual observer or a developer running tests, the package behaves normally. “The package appears to return the Ethereum version number, so the victim is none the wiser,” the report notes.
However, the function get_evm_version() does far more than return a simple integer. “Calling that function to check the version number begins a series of steps eventually leading to compromise,” researchers warned.
Once triggered, the function decodes a hidden Base64 URL and downloads a malicious payload specific to the victim’s operating system (Linux, macOS, or Windows). The execution is designed for maximum stealth:
- Linux/macOS: It uses nohup to run the payload in the background, suppressing all terminal output.
- Windows: It employs a VBScript wrapper to execute a hidden PowerShell window, ensuring the user sees nothing on their screen.
One of the most distinct features of evm-units is its specific behavior on Windows systems, which strongly suggests the threat actor has a particular interest in victims within Asian markets.
Before executing its payload, the malware checks the system for qhsafetray.exe, a process associated with Qihoo360, a dominant Chinese antivirus provider.
“The targeting of Qihoo360 also suggests that the threat actor is focusing on Asian markets, as Qihoo360 is a Chinese-made antivirus with dominant marketshare throughout Asia,” the report states. If the antivirus is detected, the malware alters its execution method to bypass detection, utilizing a direct PowerShell command rather than the VBScript wrapper used for unprotected systems.
The attack was not limited to users who directly installed evm-units. The threat actor also compromised the supply chain by creating a second package, uniswap-utils, which claimed to be a helper library for the popular Uniswap decentralized exchange.
“Another package written by the same author, uniswap-utils, appears completely benign. However, it depends on evm-units and calls it in one of its files,” the researchers explained.
This dependency was weaponized using a Rust feature that executes code automatically during testing. “Here, the malicious code runs automatically at initialization due to the #[ctor::ctor] annotation, making this a supply chain compromise.”
While the package has been removed from Crates.io, its eight-month lifespan and specific targeting serve as a stark warning. “The package names and code behavior (EVM utilities, genuine Uniswap helper library), combined with the Qihoo360 targeting and multi-OS loader pattern, make it likely that the payload steals cryptocurrency.”
Donate