An information-stealing Google Chrome browser extension named ‘VenomSoftX’ is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.
ViperSoftX has been around since 2020, previously disclosed by security researchers Cerberus and Colin Cowie, and in a report by Fortinet.
However, in a new report today by Avast, researchers provide more details regarding the malicious browser extension and how the malware operation has undergone extensive development lately.
Since the beginning of 2022, Avast has detected and stopped 93,000 ViperSoftX infection attempts against its customers, mainly impacting the United States, Italy, Brazil, and India.
ViberSoftX victim heat map for 2022
The main distribution channel for ViperSoftX is torrent files containing laced game cracks and software product activators.
By analyzing the wallet addresses that are hardcoded in samples of ViperSoftX and VenomSoftX, Avast found that the two had collectively earned their operators about $130,000 by November 8th, 2022.
This stolen cryptocurrency was obtained by diverting cryptocurrency transactions attempted on compromised devices and does not include profits from parallel activities.
The downloaded executable is a malware loader that decrypts AES data to create the following five files:
- Log file hiding a ViperSoftX PowerShell payload
- XML file for the task scheduler
- VBS file for establishing persistence by creating a scheduled task
- Application binary (promised game or software)
- Manifest file
The single malicious code line hides somewhere towards the bottom of the 5MB log text file and runs to decrypt the payload, ViperSoftX stealer.
Newer ViperSoftX variants don’t differ much from what has been analyzed in previous years, including cryptocurrency wallet data stealing, arbitrary command execution, payload downloads from the C2, etc.
A key feature of newer ViperSoftX variants is the installation of a malicious browser extension named VenomSoftX on Chrome-based browsers (Chrome, Brave, Edge, Opera).
To stay hidden from the victims, the installed extension masquerades as “Google Sheets 2.1”, supposedly a Google productivity app. In May, security researcher Colin Cowie also spotted the extension installed as ‘Update Manager.’
Malicious extension showing up as Google Sheets
While VenomSoftX appears to overlap ViperSoftX activity since they both target a victim’s cryptocurrency assets, it performs the theft differently, giving the operators higher chances of success.
“VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims visits/have an account with,” explains Avast in the report.
“When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead.”
The services targeted by VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin, while the extension also monitors the clipboard for the addition of wallet addresses.
Examples of the hijacked cryptocurrency
Moreover, the extension can modify HTML on websites to display a user’s cryptocurrency wallet address while manipulating the elements in the background to redirect payments to the threat actor.
To determine the victim’s assets, the VenomSoftX extension also intercepts all API requests to the cryptocurency services mentioned above. It then sets the transaction amount to the maximum available, siphoning all available funds.
To make matters worse, for Blockchain.info, the extension will also attempt to steal passwords entered on the site.
“This module focuses on www.blockchain.com and it tries to hook https://blockchain.info/wallet. It also modifies the getter of the password field to steal entered passwords,” explains Avast.
“Once the request to the API endpoint is sent, the wallet address is extracted from the request, bundled with the password, and sent to the collector as a base64-encoded JSON via MQTT.”
Finally, if a user pastes content into any website, the extension will check if it matches any of the regular expressions shown above, and if so, send the pasted content to the threat actors.
As Google Sheets is normally installed in Google Chrome as an app under chrome://apps/and not an extension, you can check your browser’s extension page to determine if Google Sheets is installed.
If it is installed as an extension, you should remove it and clear your browser data to ensure the malicious extension is removed.