A particularly nasty crypto-stealing malware has been revamped to make it even more dangerous, according to researchers.
Avast cybersecurity experts warned that the ViperSoftX Windows malware, a JavaScript-based RAT that has been around for more than two years, was updated to also install a Chrome browser plug-in (opens in a new tab).
ViperSoftX typically monitors the contents of the infected endpoint's clipboard, and if it detects that the victim copies and pastes a cryptocurrency wallet address, it will replace the one on the clipboard with one belonging to the attackers. In this way, when the victim sends their funds, they end up in the hands of the attackers.
Fake Google Sheets Add-on
Cryptocurrency addresses are a long list of seemingly random characters, making this type of hack relatively efficient. The plugin basically does the same thing, but a bit more efficient. It is called Google Sheets 2.1, to clear up any suspicions about its good intentions towards the victims.
"VenomSoftX mainly does this (steals crypto) by plugging API requests into some very popular crypto exchanges that victims visit or have an account," the researchers said. "When a certain API is called, for example, to send money, VenomSoftX forges the request before it is sent to redirect the money to the attacker."
Avast says that the Trojan targets several major crypto players, including Coinbase, Binance, Kucoin, Gate.io, and Blockchain.com. He doesn't stop there though: he also keeps an eye on the clipboard to see if there are any other wallets attached to it.
There are two scary details about VenomSoftX, one that the extension can alter the HTML on websites, to display the victim's cryptocurrency wallet address. In other words, even a visual inspection of the address after gluing it will not help. Furthermore, the malware will intercept all API requests to the services and set the transaction amount to maximum. This way, even if the victim makes a test transaction first (a small transaction of, say, €10), you will still lose all of the victim's funds.
And finally, for Blockchain, it will try to steal the password, if the victim enters it on the site.
So far, according to the researchers, the attackers have managed to steal various cryptos worth about $130. We do not know how many people have been infected, but we do know that most of the victims are in the United States, Italy, Brazil and India.
Google Sheets 2.1 does not exist, so if you see this plugin installed, be sure to remove it immediately.
Via: BleepingComputer (Opens in a new tab)