A latest malware marketing campaign has been discovered to leverage Satacom downloader as a conduit to deploy stealthy malware able to siphoning cryptocurrency utilizing a rogue extension for Chromium-based browsers.
„The principle function of the malware that’s dropped by the Satacom downloader is to steal BTC from the sufferer’s account by performing internet injections into focused cryptocurrency web sites,“ Kaspersky researchers Haim Zigel and Oleg Kupreev said.
Targets of the marketing campaign embrace Coinbase, Bybit, KuCoin, Huobi, and Binance customers primarily situated in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico.
Satacom downloader, additionally known as Legion Loader, first emerged in 2019 as a dropper for next-stage payloads, together with info stealers and cryptocurrency miners.
An infection chains involving the malware start when customers looking for cracked software program are redirected to bogus web sites that host ZIP archive information containing the malware.
„Numerous varieties of web sites are used to unfold the malware,“ the researchers defined. „A few of them are malicious web sites with a hardcoded obtain hyperlink, whereas others have the ‚Obtain‘ button injected by way of a authentic advert plugin.“
Current inside the archive file is an executable known as „Setup.exe“ that is about 5 MB in dimension however inflated to roughly 450 MB with null bytes in an try and evade evaluation and detection.
Launching the binary initiates the malware routine, culminating within the execution of the Satacom downloader that, in flip, makes use of DNS requests as a command-and-control (C2) technique to fetch the URL that hosts the precise malware.
The marketing campaign documented by Kaspersky results in a PowerShell script, which downloads the browser add-on from a distant third-party server. It additionally searches for browser shortcut (.LNK) information within the compromised host and modifies the „Goal“ parameter with the „–load-extension“ flag to launch the browser with the downloaded extension.
What’s extra, the add-on masquerades as a Google Drive extension and employs internet injections despatched by the C2 server when the sufferer is visiting one of many focused cryptocurrency web sites to control the content material and steal crypto.
The C2 handle is hid inside the script and addr fields of the newest bitcoin transaction related to an actor-controlled wallet address, using the identical approach because the Glupteba botnet malware to get round area blockades or takedowns.
„The extension performs varied actions on the account to be able to remotely management it utilizing the online inject scripts, and finally the extension tries to withdraw the BTC foreign money to the risk actors‘ pockets,“ the researchers stated.
In a further try to hide its exercise, the malicious extension accommodates scripts to hide the e-mail affirmation of the fraudulent transaction throughout Gmail, Hotmail and Yahoo! providers by way of an HTML code injection.
🔐 Mastering API Safety: Understanding Your True Assault Floor
Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in direction of ironclad safety. Be a part of our insightful webinar!
A consequence of this injection is that the sufferer is unaware that a bootleg switch to the risk actors‘ pockets was made. One other notable facet of the add-on is its capacity to extract system metadata, cookies, browser historical past, screenshots of opened tabs, and even obtain instructions from the C2 server.
„The extension can replace its performance because of the approach used to retrieve the C2 server by way of the final transaction of a particular BTC pockets, which may be modified at any time by making one other transaction to this pockets,“ the researchers stated.
„This enables the risk actors to alter the area URL to a unique one in case it is banned or blocked by antivirus distributors.“
The event comes as several booby-trapped extensions posing as authentic utilities have been unearthed on the Chrome Internet Retailer with capabilities to unfold adware and hijack search outcomes to show sponsored hyperlinks, paid search outcomes, and probably malicious hyperlinks.