Malicious Chrome Extension Steals Passwords and Cryptocurrency
A Windows malware designed to steal cryptocurrency and clipboard contents is installing a malicious browser extension called VenomSoftX on users’ machines. This extension acts as a Remote Access Trojan (RAT), stealing victims’ data and cryptocurrency.
Cybersecurity experts have known about the ViperSoftX malware since 2020, with previous reports from Cerberus and Fortinet. Recently, Avast researchers have taken a closer look at the malware and found that it has evolved significantly over time.
According to Avast, since the beginning of 2022, they have detected and blocked 93,000 ViperSoftX attack attempts targeting their customers, mainly affecting users in the United States, Italy, Brazil, and India. The primary distribution channel for this malware is torrent files containing cracked games and software activators.
By analyzing the wallet addresses hardcoded into ViperSoftX and VenomSoftX samples, experts discovered that as of November 8, 2022, the attackers had “earned” about $130,000. This stolen cryptocurrency was obtained solely by redirecting crypto transactions on compromised devices, not including profits from other hacker activities.
How ViperSoftX and VenomSoftX Work
The new variants of ViperSoftX are similar to earlier versions, capable of stealing cryptocurrency wallet data, executing arbitrary commands, and downloading payloads from a command-and-control server. The main difference is that the latest versions also install the additional malicious extension VenomSoftX in victims’ browsers (Chrome, Brave, Edge, Opera).
To avoid detection, the extension disguises itself as “Google Sheets 2.1,” supposedly created by Google, or as an “Update Manager.”
While VenomSoftX duplicates much of ViperSoftX’s functionality (both target victims’ crypto assets), it uses different methods to steal, increasing the attackers’ chances of success. According to experts, “VenomSoftX mainly steals cryptocurrency by intercepting API requests to several very popular crypto exchanges that victims visit or have accounts on.”
VenomSoftX specifically targets Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin. It also monitors the user’s clipboard and replaces any copied cryptocurrency wallet addresses with the attackers’ own addresses.
Advanced Theft Techniques
The extension can modify HTML code on websites to detect the user’s crypto wallet address, manipulate elements in the background, and redirect payments to the attackers. To determine the victim’s assets, VenomSoftX intercepts all API requests to the mentioned crypto services and sets the maximum available transaction amount, stealing all accessible funds.
Additionally, in the case of Blockchain.info, the extension attempts to steal the password entered on the site. Avast explains, “The module focuses on www.blockchain.com and tries to intercept https://blockchain.info/wallet. It also modifies the password input field’s getter to steal entered passwords. After an API endpoint request is sent, the wallet address is extracted from the request, linked to the password, and sent to the attacker as a base64-encoded JSON via MQTT.”
How to Detect and Remove the Malicious Extension
Researchers note that it’s easy to spot these fake Google Sheets extensions: genuine Google Sheets are installed in Chrome as an app (chrome://apps/), not as an extension. You can check this on the specified page. If you find such an extension in your browser, you should remove it immediately, clear your data, and consider changing your passwords.