Google Chrome extension steals cryptocurrency passwords

0
37

Users’ privacy has always been threatened whether it is online or anywhere else. From the scandal of major organizations selling users’ data on the dark web to stealing of user passwords, it is hard to control these malicious activities. In the latest development, a VenomSoftX Chrome extension steals cryptocurrency passwords. Although, there have been claims that cryptocurrency wallets are the safest and less prone to hacks. This has raised concern amongst the companies now.

ViperSoftX Windows Malware

This extension is installed by the ViperSoftX Windows malware, which is a cryptocurrency hijacker. According to Avast and Fortinet, VenomSoftX has been available since 2020 and has undergone many developments. So far, Avast has stopped 93,000 ViperSoftX infection attempts which have mainly impacted the United States, Italy, Brazil, and India. ViperSoftX usually distributes torrent files related to laced game cracks and software product activators.

According to the reports of November 8th, 2022, ViperSoftX and VenomSoftX have collected $130,000 by analyzing the wallet addresses. Obtained by diverting cryptocurrency transactions attempted on compromised devices, this information does not include profits from parallel activities.

Decrypting Advanced Encryption Standard

It decrypts Advanced Encryption Standard (AES) to create the following five files:

  • Log file hiding a ViperSoftX PowerShell payload
  • XML file for the task scheduler
  • VBS file for establishing persistence by creating a scheduled task
  • Application binary (promised game or software)
  • Manifest file

The single malicious code line hides somewhere towards the bottom of the 5MB log text file and runs to decrypt the payload, ViperSoftX stealer. The variants of ViperSoftX hardly differ.

In the new feature, install the malicious browser extension named VenomSoftX on Chrome browsers, including Edge, Brave, and Opera. Interestingly, it hides as Google Sheets 2.1 or Update Manager. Both VenomSoftX and ViperSoftX attacked in different ways that is how they get successful. They have so far attacked services like Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin. The extension monitors the wallet addresses being added. 

Avast shared in its report, “VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims’ visits/have an account with. When calling a specific API, such as for money transfer, VenomSoftX interferes with the request before sending it, redirecting the money to the attacker instead.”

The extension modifies the HTML on the website which displays the cryptocurrency wallet address. It also intercepts API requests and draws off the fund to the maximum limit. It will steal passwords for Blockchain.info.

Avast added, “This module focuses on www.blockchain.com and it tries to hook https://blockchain.info/wallet. It also modifies the getter of the password field to steal entered passwords. After sending the request to the API endpoint, extract the wallet address from the request, bundle it with the password, and send it to the collector as a base64-encoded JSON via MQTT.”

If you find this extension installed, remove and clear the browser data to protect the data.

Also Read iPhone 15-From USB-C to Titanium Body

LEAVE A REPLY

Please enter your comment!
Please enter your name here