Pierluigi Paganini April 15, 2020

Google has removed 49 new Chrome browser extensions from its official Web Store that hide the code to hijack cryptocurrency wallets.

Google has removed 49 new Chrome browser extensions from its official Web Store that contain the code to steal sensitive information and hijack cryptocurrency wallets.

The Chrome browser extensions were discovered by researchers from MyCrypto and PhishFort that speculate the involvement of Russian hackers.

In some cases, the Chrome extensions had fake five-star reviews in the attempt to trick unsuspecting into download it.

“We have found a range of extensions targeting brands and cryptocurrency users. Whilst the extensions all function the same, the branding is different depending on the user they are targeting.” reads the post published by the experts. “The brands we’ve found targeted with malicious extensions are:

• Ledger <https://www.ledger.com/>
• Trezor <https://trezor.io/>
• Jaxx <https://jaxx.io/>
• Electrum <https://electrum.org/>
• MyEtherWallet <https://myetherwallet.com>
• MetaMask <https://metamask.io>
• Exodus <https://www.exodus.io/>
• KeepKey <https://shapeshift.io/keepkey/>”

The Chrome extensions are used to steal mnemonic phrases, private keys, and keystore files, then they send the stolen data to the attackers via an HTTP POST request.

The researchers have discovered 14 unique command & control servers that still communicate with your compromised system. The experts discovered that the C2 servers are operated by the same bad actor(s).

“Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain (ledger.productions) has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.” continues the expert.

• The server used for this C2 is trxsqdmn
• The admin email follows this mask: “b — 0@r — r.ru” — potentially indicating Russia-based actors
• The first log was 29-Mar-2020 10:43:14 America/New_York
• The C2 hosts files other than those to collect the phished secrets”

Experts reported their discovery to Google that removed the malicious extensions within 24 hours. The extensions were published on the Web Store as early as February 2020.

Experts noticed that attackers did not empty every wallet they had access, but they targeted only high-value accounts to optimize their efforts and stole funds as much as possible.

Unfortunately, the presence of data-stealing Chrome extensions in the official Web Store is not a novelty. In January, Harry Denley, director of security at the MyCrypto, discovered that the Google Chrome extension named Shitcoin Wallet was stealing passwords and wallet private keys.

In February, Google removed 500 malicious Chrome extensions from its Web Store after they found to inject malicious ads and steal sensitive data.

Pierluigi Paganini

(SecurityAffairs – Google Chrome, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]