Kaspersky: Malware downloader installs crypto-stealing browser extension

Kaspersky, a cybersecurity solutions provider, found that threat actors are using Satacom downloader to install malicious extensions for the Chrome, Brave, and Opera browsers. This undetected extension is used to steal cryptocurrency from users.

Satacom is a malware family discovered in 2019.

Kaspersky explained that through the downloader, threat actors can easily deliver malware to the victim’s browser and stealthily monitor their activities within cryptocurrency sites. Browser extensions add features and functions to a browser

Kaspersky uncovers new mobile APT campaign vs iOS devices
Kaspersky discovers GoldenJackal APT spies on gov’t organizations

After downloading the malicious software, the initial infection begins with a ZIP archive file, which is downloaded from a website that seems to mimic software portals allowing the user to download desired (often cracked) software for free, Kaspersky explained. 

Stealing crypto while browsing

“Satacom usually downloads various binaries onto the victim’s machine,” the company said. “This time Kaspersky researchers observe a PowerShell script that performs the installation of a malicious browser extension.”

According to Kaspersky, nearly 30,000 users were at risk of being targeted during the last two months. Cybercrminals managed to evade detection and continue to steal cryptocurrency from users of Coinbase, Bybit, Kucoin, Huobi, and Binance. 

“Cybercriminals have enhanced the extension by adding the ability to control it through script changes,” Haim Zigel, malware analyst at Kaspersky, said in a media release.” This means that they can easily start targeting other cryptocurrencies. Moreover, since the extension is browser-based, it can target Windows, Linux, and macOS platforms.”

While the internet user is browsing a cryptocurrency site, cybercriminals manipulate browser activities such as hiding email confirmations of transactions and modifying existing email threads from cryptocurrency websites to create fake threads that resemble the real ones.

To maximize the benefits of using cryptocurrency safely, Kaspersky experts also recommend:

  • Be cautious of phishing scams: Scammers often use phishing emails or fake websites to trick people into revealing their login credentials or private keys. Always double-check the URL of the website and don’t click on any suspicious links.
  • Don’t share your private keys: your private keys unlock your cryptocurrency wallet. Keep them private and never share them with anyone.
  • Educate yourself: stay informed about the latest cyber threats and best practices to keep your cryptocurrency safe. The more you know about protecting yourself, the better equipped you’ll be to prevent cyber-attacks.
  • Research before investing: before investing in any cryptocurrency, research the project and the team behind it thoroughly. Check the project’s website, white paper, and social media channels to ensure that the project is legitimate.
  • Use security solutions: a reliable security solution will protect your devices from various types of threats. Kaspersky Premium prevents all known and unknown cryptocurrency fraud, as well as unauthorized use of your computer’s processing power to mine cryptocurrency.

6 replies »