January 31, 2023

According to Bleeping Computer, a Google Chrome extension called “VenomSoftX” is designed to hijack your passwords and cryptocurrency. This extension is reportedly installed by ViperSoftX Windows malware.

The malware acts as a JavaScript-based RAT (remote access trojan) and can monitor users’ activity through the web to steal their clipboard contents. Of course, ViperSoftX has been around since 2020, but this time is sneaking into your device in the form of a Google Chrome extension.

Avast has published a report regarding the Chrome extension to give us more details on how this information-stealing extension works. As per the company’s report, they’ve detected and neutralized 93,000 ViperSoftX infection attempts against their customers. The attacks mainly targeted users in the United States, Italy, Brazil, and India.

VenomSoftX can steal the cryptocurrency stored in your wallet

Additionally, torrent files containing laced game cracks and software product activators are the main distribution source of distribution for ViperSoftX. Avast also found that the attackers could steal about $130,000 worth in cryptocurrency by November 8, 2022.

The new and old ViperSoftX attack attempts are similar. The only change is ViperSoftX now installs a malicious extension on Chrome-based browsers, including Chrome, Brave, Edge, and Opera. The extension represents itself as “Google Sheets 2.1” to stay hidden and make itself appear like a legitimate extension. Of course, security researcher Colin Cowie detected the malicious extension by the name of “Update Manager.”

Compared to ViperSoftX, VenomSoftX has more chances of success as it steals crypto by “hooking API requests on a few top-rated crypto exchanges victims visits/have an account with,” Avast says. “When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead.”

See also  Elon Musk fired a veteran Twitter engineer via a tweet, kind of

Currently, some popular cryptocurrency trade centers like Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin are targeted by VenomSoftX. The extension can intercept all VenomSoftX API requests to these services. Then, it sets the transaction amount to the maximum available and steals everything in the victim’s wallet.

VenomSoftX can also check the clipboard or modify a website’s HTML in search of the user’s cryptocurrency wallet address. The attackers are able to manipulate some elements in the background to redirect payments.