Chrome extension hides malware to steal crypto: new operation uncovered
September 2024 by CyberNews
The Cybernews research team discovered a threat actor defrauding hundreds of people per month through a simple information-stealing browser extension on the Chrome Web Store, called SpiderX.
Despite obvious malicious intent, it has not yet been detected by antivirus software.
SpiderX can gather plaintext login information, take screenshots, and track browsing history. The threat actor created an infrastructure containing dozens of malicious internet addresses and WhatsApp accounts to lure victims into downloading the extension.
“Despite amateurish execution and carelessness, the threat actor is sending tens of thousands of spam emails per month and has an infection rate of 1%. At the time of discovery, there were over 500 infected victims, and the campaign is still ongoing,” Cybernews researchers said.
The campaign targets crypto users
The scheme starts by sending spam from domains impersonating cryptocurrency recovery agencies, trading platforms, wallets, or even the Financial Conduct Authority.
Some variations of the spam messages and websites used in the malicious campaign directed users to contact the threat actor via WhatsApp, while others directed them to download Chrome extensions and install them manually.
Once installed, it takes screenshots of the victim’s screen, gathers plaintext login information from forms on various websites, and exfiltrates the browsing history.
Poor operational security exposes the hacker
The malicious campaign was identified due to the lack of operational security measures and software misconfigurations.
“It appears that before launching the campaign, the threat actor set up and tested the infrastructure using their email, IP address, and other personal information,” our researchers said. “This data leads to a person in Israel.”