Avast uncovers Chrome extension used to steal passwords and crypto
Avast has unveiled how Windows malware uses the ‘VenomSoftX’ Google Chrome browser plugin to steal cryptocurrencies and clipboard data as victims browse the internet.
How the malware is installed
This Chrome extension is being deployed by the ViperSoftX Windows malware, which functions as a JavaScript-based RAT (remote access trojan) and cryptocurrencies ‘parasite.’
The existence of ViperSoftX has been known since 2020, according to reports from Fortinet and Cerberus, as well as security analysts Colin Cowie.
However, researchers from Avast have released a new analysis with further information about the malicious browser extension and how it has recently undergone significant evolution.
How it conceals itself
To decipher the payload, ViperSoftX stealer, the lone malicious code line, hides near the bottom of the 5MB log text file.
Newer ViperSoftX variations, such as data theft from cryptocurrency wallets, arbitrary command execution, payload downloads from the C2, etc., are similar to what has been examined in prior years.
The deployment of the malicious VenomSoftX browser extension on Chrome-based web servers (Chrome, Brave, Edge, Opera) is a distinguishing characteristic of more recent ViperSoftX variants.
Infecting the browser
The downloaded extension poses as ‘Google Sheets 2.1,’ a perceived Google workplace program, to avoid detection by the victims. Security expert Colin Cowie discovered the extension deployed as ‘Update Manager’ in May.
VenomSoftX accomplishes the heist differently, giving the perpetrators a higher probability of success, even if their activities overlap with those of ViperSoftX since they both target a victim’s bitcoin holdings.
Avast’s study states,
“VenomSoftX primarily does this (steals cryptocurrency) via hooking API requests on a few extremely major cryptocurrency exchanges victims visit or have an account with. VenomSoftX tampers with the transaction before it is delivered to reroute the money to the assailant instead when a specific API is called, for instance, to transfer funds.”
Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin are among the platforms that VenomSoftX targets. The malware also keeps an eye on the clipboard for the inclusion of wallet addresses.
Hold on; it gets worse
The extension can alter HTML on websites to display a user’s cryptocurrency wallet address while simultaneously rerouting funds to the threat actor.
To ascertain the victim’s holdings, the VenomSoftX plugin intercepts all API requests to the mentioned cryptocurrency services. The transaction amount is set to the highest possible, consuming all funds. Making matters worse, the google plugin attempts to steal any passcodes typed on Blockchain.info.
According to Avast, the malware attempts to hook https://blockchain.info/wallet while concentrating on www.blockchain.com. To steal submitted passcodes, it also alters the getter of the passcode space.
The wallet address is taken from the application after the API endpoint has received it, along with the password, and transmitted to the collector as a base64-encoded JSON via MQTT.
Last but not least, whenever a user pastes information into any website, the extension will examine it to see if it fits any pattern matching given above. It will send the pasted content to the malicious attackers if it does.
To ensure the harmful plugin is deleted if it has been installed as an extension, you should uninstall it and erase your browser’s cache and data.