Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.
The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs.
“The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign ‘Google Notes’ utility,” the cybersecurity company said in a technical report shared with The Hacker News.
The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers. For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.
The end goal of the extension is to act as a clipper that’s capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet. To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history.
Because most transactions on the blockchain are irreversible, an address swap can result in permanent financial loss. McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters.
What makes Silent Swap stand apart is the use of a technique called EtherHiding that uses the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details. This allows the attacker to trivially update a smart contract value to point to the new domain instead of having to redeploy the malware itself.
The second aspect revolves around the covert installation of the browser extension on Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Vivaldi by modifying protected browser settings files. The attack, however, hinges on enabling the developer mode for newer versions of the browsers, something that a threat actor can accomplish through social engineering tactics.
“Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes,” McAfee said. “The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately.”
“This allows the extension to bypass the normal extension web store installation process and load silently without user approval.”
The campaign’s persistence and evasion posture has been characterized as deliberate and layered, with the primary focus being on maintaining low visibility to the end user…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
