A lesser-known malware named ViperSoftX, which has been around since 2020 has undergone extensive development throughout 2022 to improve its information-stealing and evasion capabilities. Among these capabilities of the malware, one involves dropping a malicious Google Chrome extension on infected systems to steal cryptocurrency. 

Campaign overview

Researchers revealed that newer versions of ViperSoftX are capable of loading a custom malicious browser extension to Chromium-based browsers installed on infected systems.  
  • The extension is basically another information stealer called VenomSoftX that disguises itself as various popular browser extensions, such as Google Sheets, to avoid user detection. 
  • The malware focuses on five cryptocurrency exchanges/websites such as Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin. 
  • To steal crypto assets, VenomSoftX tries to tamper with API requests that sites use for several actions such as money withdrawal or sending security codes. 

Malicious browser extensions posing risks

Attacks via malicious browser extensions remain a major security concern, which is evident from a report by Kaspersky. It highlighted that around 7 million users have been targeted, since 2020, when installing malicious browser extensions. 
  • Around 70% of those extensions were used to hide adware and pretended to be productivity tools such as doc and pdf files.  
  • The remaining extensions were disguised to deploy riskware and other potentially unwanted malware.

What else?

A new way to steal and monetize data via malicious browser extensions was observed in another recent malvertising campaign.
  • The campaign, named Dormant Colors, leveraged 30 different extensions for Chrome and Edge. 
  • These extensions offered color customization options on web pages and could perform several nefarious actions such as browsing history hijacking, affiliation hijacking, malicious advertisement insertion within visited pages, and side-loading malicious scripts.

Conclusion

VenomSoftX is an info-stealing malware that silently gains full access to every page victims visit and carries out man-in-the-middle attacks to drain their accounts. Therefore, users must verify the extensions before installing them. Furthermore, as ViperSoftX is mostly distributed via cracked software for Adobe Illustrator, Microsoft Office, and Corel Video Studio, users must avoid downloading such software to stay safe.
Cyware Publisher

Publisher

Cyware