Google Chrome extension used to steal cryptocurrency, passwords

Google Chrome extension used to steal cryptocurrency, passwords

Chrome

An information-stealing Google Chrome browser extension named ‘VenomSoftX’  is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.

This Chrome extension is being installed by the ViperSoftX Windows malware, which acts as a JavaScript-based RAT (remote access trojan) and cryptocurrency hijacker.

ViperSoftX has been around since 2020, previously disclosed by security researchers Cerberus and  Colin Cowie, and in a report by Fortinet.

However, in a new report today by Avast, researchers provide more details regarding the malicious browser extension and how the malware operation has undergone extensive development lately.

Recent activity

Since the beginning of 2022, Avast has detected and stopped 93,000 ViperSoftX infection attempts against its customers, mainly impacting the United States, Italy, Brazil, and India.

2022 victim heatmap
ViberSoftX victim heat map for 2022
Source: Avast

The main distribution channel for ViperSoftX is torrent files containing laced game cracks and software product activators.

By analyzing the wallet addresses that are hardcoded in samples of ViperSoftX and VenomSoftX, Avast found that the two had collectively earned their operators about $130,000 by November 8th, 2022.

This stolen cryptocurrency was obtained by diverting cryptocurrency transactions attempted on compromised devices and does not include profits from parallel activities.

The downloaded executable is a malware loader that decrypts AES data to create the following five files:

  • Log file hiding a ViperSoftX PowerShell payload
  • XML file for the task scheduler
  • VBS file for establishing persistence by creating a scheduled task
  • Application binary (promised game or software)
  • Manifest file

The single malicious code line hides somewhere towards the bottom of the 5MB log text file and runs to decrypt the payload, ViperSoftX stealer.

Newer ViperSoftX variants don’t differ much from what has been analyzed in previous years, including cryptocurrency wallet data stealing, arbitrary command execution, payload downloads from the C2, etc.

A key feature of newer ViperSoftX variants is the installation of a malicious browser extension named VenomSoftX on Chrome-based browsers (Chrome, Brave, Edge, Opera).

Infecting Chrome

To stay hidden from the victims, the installed extension masquerades as “Google Sheets 2.1”, supposedly a Google productivity app. In May, security researcher Colin Cowie also spotted the extension installed as ‘Update Manager.’

Malicious extension showing up as Google Sheets
Malicious extension showing up as Google Sheets
Source: Avast

While VenomSoftX appears to overlap ViperSoftX activity since they both target a victim’s cryptocurrency assets, it performs the theft differently, giving the operators higher chances of success.

“VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims visits/have an account with,” explains Avast in the report.

“When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead.”

The services targeted by VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin, while the extension also monitors the clipboard for the addition of wallet addresses.

Examples of the hijacked cryptocurrency
Examples of the hijacked cryptocurrency
Source: Avast

Moreover, the extension can modify HTML on websites to display a user’s cryptocurrency wallet address while manipulating the elements in the background to redirect payments to the threat actor.

To determine the victim’s assets, the VenomSoftX extension also intercepts all API requests to the cryptocurency services mentioned above. It then sets the transaction amount to the maximum available, siphoning all available funds.

To make matters worse, for Blockchain.info, the extension will also attempt to steal passwords entered on the site.

“This module focuses on www.blockchain.com and it tries to hook https://blockchain.info/wallet. It also modifies the getter of the password field to steal entered passwords,” explains Avast.

“Once the request to the API endpoint is sent, the wallet address is extracted from the request, bundled with the password, and sent to the collector as a base64-encoded JSON via MQTT.”

Finally, if a user pastes content into any website, the extension will check if it matches any of the regular expressions shown above, and if so, send the pasted content to the threat actors.

As Google Sheets is normally installed in Google Chrome as an app under chrome://apps/and not an extension, you can check your browser’s extension page to determine if Google Sheets is installed.

If it is installed as an extension, you should remove it and clear your browser data to ensure the malicious extension is removed.

Source link

Related post

Bitcoin Price and Ethereum Down 5% amid China Lockdown

Bitcoin Price and Ethereum Down 5% amid China Lockdown

The leading cryptocurrency, Bitcoin, failed to break a descending triangle pattern and fell over 3% to $16,160 amid an increased level of…
Europe will rely on carbon sinks to boost climate ambition – EURACTIV.com

Europe will rely on carbon sinks to boost climate…

The EU will increase its 2030 greenhouse gas reduction target thanks to a new law aimed at boosting the amount of…
CAPITAL IDEAS: What the FTX collapse and municipal bond funds had in common

CAPITAL IDEAS: What the FTX collapse and municipal bond…

I own Berkshire Money Management, and recently investors have called us because their financial advisors appear to have messed up this…

Leave a Reply

Your email address will not be published.