Kaspersky, a cybersecurity company, has uncovered a recent Satacom campaign that utilizes a malicious browser extension to steal cryptocurrency from unsuspecting victims. This campaign, which targeted users of Chrome, Brave, and Opera browsers, posed a significant risk to nearly 30,000 individuals over the past two months. The attackers employed various deceptive tactics to ensure the extension remained undetected while users browsed popular cryptocurrency exchange websites, including Coinbase and Binance. The extension not only facilitated the theft of cryptocurrency but also allowed the threat actors to conceal transaction notifications sent to victims, enabling them to covertly steal funds.
The Satacom campaign is closely associated with the notorious Satacom downloader, a malware family that has been active since 2019. Typically distributed through malvertising on third-party websites, the campaign entices users with fake file-sharing services and other malicious pages, leading them to download an archive containing the Satacom Downloader. In this particular campaign, the downloader downloads the malicious browser extension.
The primary objective of the campaign is to steal bitcoin (BTC) from victims’ accounts by injecting malicious code into targeted cryptocurrency websites. Although BTC is the main focus, the malware can be easily adapted to target other cryptocurrencies. The attackers install a browser extension on Chromium-based browsers such as Chrome, Brave, and Opera, targeting individuals worldwide who hold cryptocurrency. Kaspersky’s telemetry data reveals that nearly 30,000 individuals were at risk of being targeted during April and May. The countries most affected by this threat were Brazil, Mexico, Algeria, Turkey, India, Vietnam, and Indonesia.
Once the malicious extension is installed, it engages in browser manipulations while users browse targeted cryptocurrency exchange websites. The campaign specifically targets users of Coinbase, Bybit, Kucoin, Huobi, and Binance. In addition to stealing cryptocurrency, the extension employs various techniques to conceal its illicit activity. For example, it hides email confirmations of transactions and modifies existing email threads from cryptocurrency websites, creating fake threads that closely resemble legitimate ones.
Unlike previous campaigns, the threat actors behind the Satacom campaign do not need to infiltrate official extension stores, as they utilize the Satacom downloader for delivery. The initial infection begins with a ZIP archive file downloaded from a website that imitates software portals offering free downloads of desired (often cracked) software. Satacom typically downloads various binaries onto the victim’s machine, but this time, researchers at Kaspersky observed a PowerShell script that installs the malicious browser extension.
Through a series of malicious actions, the extension operates stealthily while users browse the internet, allowing threat actors to transfer stolen BTC from victims’ wallets to their own wallets using web injections.
Haim Zigel, a malware analyst at Kaspersky, emphasized the adaptability of the malicious extension, stating, “Cybercriminals have enhanced the extension by adding the ability to control it through script changes. This means that they can easily start targeting other cryptocurrencies. Moreover, since the extension is browser-based, it can target Windows, Linux, and macOS platforms.” Zigel urged users to regularly monitor their online accounts for any suspicious activity and employ reliable security solutions to protect themselves from such threats.
For detailed technical analysis of the malware and further information on the campaign, please visit Securelist.
To ensure safe cryptocurrency usage, Kaspersky experts recommend the following measures:
– Remain vigilant against phishing scams, which often employ phishing emails or fake websites to trick users into revealing login credentials or private keys. Always verify the website’s URL and avoid clicking on suspicious links.
– Safeguard private keys, as they provide access to cryptocurrency wallets. Keep them confidential and refrain from sharing them with anyone.
– Stay informed about the latest cyber threats and best practices for safeguarding cryptocurrency. Increasing awareness will enhance your ability to prevent cyberattacks.
– Conduct thorough research before investing in any cryptocurrency project. Examine the project’s website, white paper, and social media channels to ensure its legitimacy.
– Utilize reliable security solutions, such as Kaspersky Premium, to protect your devices from various threats. Kaspersky Premium provides comprehensive defense against known and unknown cryptocurrency fraud, as well as unauthorized use of your computer’s processing power for cryptocurrency mining.