Jump to content
  • Google Chrome extension used to steal cryptocurrency, passwords

    alf9872000

    • 275 views
    • 4 minutes
     Share


    • 275 views
    • 4 minutes

    An information-stealing Google Chrome browser extension named 'VenomSoftX'  is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.

     

    This Chrome extension is being installed by the ViperSoftX Windows malware, which acts as a JavaScript-based RAT (remote access trojan) and cryptocurrency hijacker.

     

    ViperSoftX has been around since 2020, previously disclosed by security researchers Cerberus and  Colin Cowie, and in a report by Fortinet.

     

    However, in a new report today by Avast, researchers provide more details regarding the malicious browser extension and how the malware operation has undergone extensive development lately.

    Recent activity

    Since the beginning of 2022, Avast has detected and stopped 93,000 ViperSoftX infection attempts against its customers, mainly impacting the United States, Italy, Brazil, and India.

     

    heatmap(7).png

    ViberSoftX victim heat map for 2022 - Source: Avast

     

    The main distribution channel for ViperSoftX is torrent files containing laced game cracks and software product activators.

     

    By analyzing the wallet addresses that are hardcoded in samples of ViperSoftX and VenomSoftX, Avast found that the two had collectively earned their operators about $130,000 by November 8th, 2022.

     

    This stolen cryptocurrency was obtained by diverting cryptocurrency transactions attempted on compromised devices and does not include profits from parallel activities.

     

    The downloaded executable is a malware loader that decrypts AES data to create the following five files:

    • Log file hiding a ViperSoftX PowerShell payload
    • XML file for the task scheduler
    • VBS file for establishing persistence by creating a scheduled task
    • Application binary (promised game or software)
    • Manifest file

     

    The single malicious code line hides somewhere towards the bottom of the 5MB log text file and runs to decrypt the payload, ViperSoftX stealer.

     

    Newer ViperSoftX variants don't differ much from what has been analyzed in previous years, including cryptocurrency wallet data stealing, arbitrary command execution, payload downloads from the C2, etc.

     

    A key feature of newer ViperSoftX variants is the installation of a malicious browser extension named VenomSoftX on Chrome-based browsers (Chrome, Brave, Edge, Opera).

    Infecting Chrome

    To stay hidden from the victims, the installed extension masquerades as "Google Sheets 2.1", supposedly a Google productivity app. In May, security researcher Colin Cowie also spotted the extension installed as 'Update Manager.'

     

    google-sheets.png

    Malicious extension showing up as Google Sheets - Source: Avast

     

    While VenomSoftX appears to overlap ViperSoftX activity since they both target a victim's cryptocurrency assets, it performs the theft differently, giving the operators higher chances of success.

     

    "VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims visits/have an account with," explains Avast in the report.

     

    "When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead."

     

    The services targeted by VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin, while the extension also monitors the clipboard for the addition of wallet addresses.

     

    venom-hijack.jpg

    Examples of the hijacked cryptocurrency - Source: Avast

     

    Moreover, the extension can modify HTML on websites to display a user's cryptocurrency wallet address while manipulating the elements in the background to redirect payments to the threat actor.

     

    To determine the victim's assets, the VenomSoftX extension also intercepts all API requests to the cryptocurency services mentioned above. It then sets the transaction amount to the maximum available, siphoning all available funds.

     

    To make matters worse, for Blockchain.info, the extension will also attempt to steal passwords entered on the site.

     

    "This module focuses on www.blockchain.com and it tries to hook https://blockchain.info/wallet. It also modifies the getter of the password field to steal entered passwords," explains Avast.

     

    "Once the request to the API endpoint is sent, the wallet address is extracted from the request, bundled with the password, and sent to the collector as a base64-encoded JSON via MQTT."

     

    Finally, if a user pastes content into any website, the extension will check if it matches any of the regular expressions shown above, and if so, send the pasted content to the threat actors.

     

    As Google Sheets is normally installed in Google Chrome as an app under chrome://apps/and not an extension, you can check your browser's extension page to determine if Google Sheets is installed.

     

    If it is installed as an extension, you should remove it and clear your browser data to ensure the malicious extension is removed.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...