A malicious extension for the Chrome, Brave, and Opera browsers is used to steal cryptocurrency from victims as a part of a recent Satacom campaign discovered by Kaspersky. Nearly 30,000 users were at risk of being targeted during the last two months. The attackers have implemented a range of malicious actions to ensure that the extension remains undetected while the unsuspecting user browses the targeted cryptocurrency exchange websites, including Coinbase and Binance. In addition, the extension enables threat actors to conceal any transaction notifications sent to the victim by these websites to stealthily steal their cryptocurrency. A detailed report on this campaign is available on Securelist.
The recent campaign is linked to the Satacom downloader, a notorious malware family active since 2019 and mainly delivered via malvertising placed on third-party websites. The malicious links or ads redirect users to fake file-sharing services and other malicious pages offering to download an archive containing the Satacom Downloader. In the case of this recent campaign, it downloads the malicious browser extension.
The latest campaign installs a browser extension that steals cryptocurrency and conceals its activity
The campaign’s primary objective is to steal bitcoin (BTC) from victims’ accounts by performing web injections to targeted cryptocurrency websites. However, the malware can be easily modified to target other cryptocurrencies. The malware attempts to achieve its objective by installing an extension for Chromium-based browsers – such as Chrome, Brave and Opera – and targeting individual users holding cryptocurrency worldwide. Kaspersky telemetry data reveals that during April and May, nearly 30,000 individuals were at risk of being targeted by the campaign. In the last two months, the countries most affected by this threat were Brazil, Mexico, Algeria, Turkey, India, Vietnam, and Indonesia.
The malicious extension performs browser manipulations while the user is surfing targeted cryptocurrency exchange websites. The campaign targets Coinbase, Bybit, Kucoin, Huobi and Binance users. Besides stealing cryptocurrency, the extension carries out additional actions to conceal its primary activity. For instance, it hides email confirmations of transactions and modifies existing email threads from cryptocurrency websites to create fake threads that resemble the real ones.
In this campaign, the threat actors don’t need to find ways to sneak into official extension stores since they use Satacom downloader for delivery. The initial infection begins with a ZIP archive file, which is downloaded from a website that seems to mimic software portals allowing the user to download desired (often cracked) software for free. Satacom usually downloads various binaries onto the victim’s machine. This time Kaspersky researchers observe a PowerShell script that performs the installation of a malicious browser extension.
Then, a series of malicious actions allow the extension to run stealthily while the user is browsing the internet. As a result, threat actors become capable of transferring the BTC from the victim’s wallet to their wallet using web injections.
“Cybercriminals have enhanced the extension by adding the ability to control it through script changes. This means that they can easily start targeting other cryptocurrencies. Moreover, since the extension is browser-based, it can target Windows, Linux and macOS platforms. As a precaution, users are advised to regularly check their online accounts for any suspicious activity and use reliable security solutions to protect themselves from threats like these,” said Haim Zigel, malware analyst at Kaspersky.
