A brand new malware marketing campaign has been found that exploits the Satacom downloader, often known as LegionLoader, to distribute a browser extension designed to steal cryptocurrency.
The Satacom downloader, a infamous malware household that emerged in 2019, is understood for utilizing DNS server queries to retrieve the subsequent malware stage from one other household related to Satacom.
The malware is distributed by third-party web sites, generally leveraging authentic promoting plugins exploited by attackers to inject malicious ads into internet pages.
Based on a brand new advisory by Kaspersky, the principle goal of the malware dropped by the Satacom downloader is to steal Bitcoin (BTC) from victims’ accounts. It achieves this by putting in a Chromium-based internet browser extension that communicates with a command-and-control (C2) server.
Learn extra on crypto-stealing malware: “Kekw” Malware in Python Packages Might Steal Knowledge and Hijack Crypto
The extension employs numerous JavaScript scripts to govern customers’ browsers whereas shopping focused cryptocurrency web sites. It may well additionally customise the looks of e mail providers like Gmail, Hotmail and Yahoo to cover its exercise involving the sufferer’s cryptocurrencies.
The preliminary an infection happens when a consumer downloads a ZIP archive file from a faux software program portal containing authentic DLLs and a malicious Setup.exe file.
The malware spreads by various kinds of web sites, a few of which have hardcoded obtain hyperlinks, whereas others inject a misleading “Obtain” button utilizing authentic advert plugins. Kaspersky highlighted that the QUADS advert plugin had been abused to ship the Satacom malware.
As soon as the malware is executed, it employs course of injection strategies to evade detection by antivirus packages. The safety consultants stated that the dynamic nature of this malware marketing campaign poses challenges for mitigation and detection.
Based mostly on Kaspersky’s telemetry information, this marketing campaign focuses on particular person customers globally. Throughout Q1 2023, Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt and Mexico have been the nations with the best an infection frequency.
Customers are suggested to train warning when downloading software program from untrusted sources and to maintain their antivirus software program updated to guard in opposition to such threats.
The Kaspersky advisory comes just a few months after a US man was charged with fraudulently buying $110m price of cryptocurrency from Mango Markets – a crypto trade – and its clients.
