This Malware Installs Malicious Browser Extensions to Steal Users’ Passwords and Cryptos

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX.

Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack.

ViperSoftX, which first came to light in February 2020, was characterized by Fortinet as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware’s use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst Colin Cowie earlier this year.

“This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others,” Avast researcher Jan Rubín said in a technical write-up.

“ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands.”

The distribution vector used to propagate ViperSoftX is typically achieved through cracked software for Adobe Illustrator and Microsoft Office that are hosted on file-sharing sites.

The downloaded executable file comes with a clean version of cracked software along with additional files that set up persistence on the host and harbor the ViperSoftX PowerShell script.

Newer variants of the malware are also capable of loading the VenomSoftX add-on, which is retrieved from a remote server, to Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi.

This is achieved by searching for LNK files for the browser applications and modifying the shortcuts with a “–load-extension” command line switch that points to the path where the unpacked extension is stored.

“The extension tries to disguise itself as well known and common browser extensions such as Google Sheets,” Rubín explained. “In reality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access permissions to every website the user visits from the infected browser.”

It’s worth noting that the –load-extension tactic has also been put to use by another browser-based information stealer referred to as ChromeLoader (aka Choziosi Loader or ChromeBack).

VenomSoftX, like ViperSoftX, is also orchestrated to steal cryptocurrencies from its victims. But unlike the latter, which functions as a clipper to reroute fund transfers to an attacker-controlled wallet, VenomSoftX tampers with API requests to crypto exchanges to drain the digital assets.

Services targeted by the extension include, Binance, Coinbase,, and Kucoin.

The development marks a new level of escalation to traditional clipboard swapping, while also not raising any immediate suspicion as the wallet address is replaced at a much more fundamental level.

Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa.

An analysis of the hard-coded wallet addresses in the samples reveals that the operation has netted its authors a sum total of about $130,421 as of November 8, 2022, in various cryptocurrencies. The collective monetary gain has since dropped to $104,500.

“Since the transactions on blockchains/ledgers are inherently irreversible, when the user checks the transaction history of payments afterward, it is already too late,” Rubín said.

You May Also Like

59 thoughts on “This Malware Installs Malicious Browser Extensions to Steal Users’ Passwords and Cryptos

  1. [url=]best online pharmacy india[/url] [url=]generic sildenafil canada[/url] [url=]zyban uk prescription[/url] [url=]online pharmacy pain[/url] [url=]buy viagra without a prescription[/url]

  2. [url=]modafinil no prescription[/url] [url=]happy family drugstore[/url] [url=]best online pharmacy no prescription[/url] [url=]accutane 2009[/url]

  3. [url=]ciprofloxacin generic cost[/url] [url=]buy prozac online nz[/url] [url=]cheap phenergan[/url]

  4. [url=]xenical price[/url] [url=]allopurinol 300 mg cost[/url] [url=]medicine amitriptyline 25mg[/url] [url=]cymbalta prices[/url] [url=]finasteride cost[/url] [url=]fluoxetine 20 mg capsule price[/url]

  5. [url=]where to buy levitra online no prescription[/url] [url=]where to buy cheap viagra pills[/url] [url=]wellbutrin cost in canada[/url]

  6. [url=]accutane 20 mg daily[/url] [url=]can you buy modafinil in mexico[/url] [url=]zovirax tablets 200mg[/url] [url=]valtrex cheapest price[/url] [url=]azithromycin tablets canada[/url]

  7. [url=]zovirax tablet 400 mg[/url] [url=]modafinil 600mg[/url] [url=]order modafinil online uk[/url] [url=]bactrim buy[/url] [url=]bupropion xl 150 mg online[/url] [url=]voltaren cream generic[/url] [url=]cymbalta buy online[/url] [url=]world pharmacy viagra[/url]

  8. [url=]levitra for sale uk[/url] [url=]how to get valtrex over the counter[/url] [url=]diflucan 150 mg canada[/url] [url=]prednisone 5093[/url] [url=]cipro south africa[/url] [url=]fluoxetine 50 mg[/url] [url=]100mg atarax[/url]

  9. [url=]medicine gabapentin 100mg[/url] [url=]purchase levitra online canada[/url] [url=]lasix 2.5 mg[/url] [url=]order generic prozac without a prescription[/url]

  10. [url=]lipitor 20 mg canada[/url] [url=]online pharmacy pain[/url] [url=]best generic wellbutrin 2018[/url] [url=]gabapentin 600 mg price[/url] [url=]cost of trazodone[/url] [url=]generic finpecia[/url] [url=]antabuse pills[/url] [url=]citalopram 80 mg[/url]

  11. [url=]wellbutrin 150mg daily[/url] [url=]trazodone australia[/url] [url=]azithromycin 500 price[/url] [url=]order bactrim online[/url] [url=]cheapest pharmacy for prescriptions[/url] [url=]generic propecia canada[/url] [url=]buy provigil australia[/url]

  12. [url=]cost of viagra[/url] [url=]4 bupropion[/url] [url=]happy family pharmacy order status[/url]

  13. [url=]synthroid brand cost[/url] [url=]voltaren where to purchase[/url] [url=]modafinil 2018[/url] [url=]generic lexapro[/url] [url=]otc disulfiram[/url] [url=]cymbalta 30 mg capsule[/url]

  14. [url=]celexa prescription[/url] [url=]gabapentin generic price[/url] [url=]elavil 50[/url] [url=]prednisone 5093[/url] [url=]cheapest xenical uk[/url]

  15. [url=]desyrel medication[/url] [url=]buy accutane 40 mg online[/url] [url=]can you buy synthroid over the counter in mexico[/url] [url=]how to purchase modafinil[/url] [url=]prozac brand price[/url] [url=]cephalexin 500mg capsules[/url] [url=]where to buy azithromycin over the counter in canada[/url]

  16. [url=]cialis sales[/url] [url=]legitimate online pharmacy usa[/url] [url=]gabapentin 100mg capsules[/url]

Leave a Reply

Your email address will not be published. Required fields are marked *

Unique Visitors
» 1,964 Today
» 5,052 Yesterday
» 30,408 This Week
» 18,503 This Month
» 4,155,161 This Year
» 8,246,073 Total (since 2019-12-11)
» Record: 46,026 (2021-12-02)
Counter by DarkWeb.Solutions