According to Bleeping Computer, a Google Chrome extension called “VenomSoftX” is designed to hijack your passwords and cryptocurrency. This extension is reportedly installed by ViperSoftX Windows malware.
Avast has published a report regarding the Chrome extension to give us more details on how this information-stealing extension works. As per the company’s report, they’ve detected and neutralized 93,000 ViperSoftX infection attempts against their customers. The attacks mainly targeted users in the United States, Italy, Brazil, and India.
VenomSoftX can steal the cryptocurrency stored in your wallet
Additionally, torrent files containing laced game cracks and software product activators are the main distribution source of distribution for ViperSoftX. Avast also found that the attackers could steal about $130,000 worth in cryptocurrency by November 8, 2022.
The new and old ViperSoftX attack attempts are similar. The only change is ViperSoftX now installs a malicious extension on Chrome-based browsers, including Chrome, Brave, Edge, and Opera. The extension represents itself as “Google Sheets 2.1” to stay hidden and make itself appear like a legitimate extension. Of course, security researcher Colin Cowie detected the malicious extension by the name of “Update Manager.”
Compared to ViperSoftX, VenomSoftX has more chances of success as it steals crypto by “hooking API requests on a few top-rated crypto exchanges victims visits/have an account with,” Avast says. “When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead.”
Currently, some popular cryptocurrency trade centers like Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin are targeted by VenomSoftX. The extension can intercept all VenomSoftX API requests to these services. Then, it sets the transaction amount to the maximum available and steals everything in the victim’s wallet.
VenomSoftX can also check the clipboard or modify a website’s HTML in search of the user’s cryptocurrency wallet address. The attackers are able to manipulate some elements in the background to redirect payments.