McAfee Advanced Threat Research has flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.
The cryptocurrency clipper activity has been called
Silent Swap due to how the installers will deploy a malicious Chromium extension masquerading as a benign 'Google Notes' utility, the cybersecurity company said in a technical report.
The unsigned .NET installer,
named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers. For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.
The end goal of the extension is to act as a clipper that's capable of intercepting and manipulating wallet addresses copied into the computer system clipboard with the goal of rerouting the funds to an attacker controlled wallet.
To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history.The second strategy used by the attacker revolves around the covert installation browser extension on Chromium based browsers like Google Chrome, Firefox, Microsoft Edge, Brave, and Vivaldi. The app was said to have Clipboard Stealers
This disclosure comes as Socket reported on a pair of malicious Chrome and Mozilla Firefox browser extensions, both was said to have the name
"VPN Go: Free VPN" on the Chrome Web Store and Firefox Add-ons marketplace as we speak.Both extensions present themselves as free VPN tools with visible proxy service,but
Socket researchers Kirill Boychenko and Kush Pandya said under the hood, they both contain malicious clipboard theft logic that will continuously monitors, copied text and exfiltrates it to threat actor usage.
Telemetry data suggests that infections are globally distributed, with a higher concentration of victims reported in India. Other countries impacted by the campaign include the U.S., Brazil, Indonesia, and Spain.