A new malware marketing campaign has been uncovered that exploits the Satacom downloader, also acknowledged as LegionLoader, to distribute a browser extension built to steal cryptocurrency.
The Satacom downloader, a infamous malware family members that emerged in 2019, is identified for utilizing DNS server queries to retrieve the upcoming malware stage from a further spouse and children involved with Satacom.
The malware is distributed by way of third-social gathering websites, occasionally leveraging respectable advertising and marketing plugins exploited by attackers to inject destructive commercials into web web pages.
In accordance to a new advisory by Kaspersky, the major aim of the malware dropped by the Satacom downloader is to steal Bitcoin (BTC) from victims’ accounts. It achieves this by putting in a Chromium-based web browser extension that communicates with a command-and-control (C2) server.
Browse more on crypto-thieving malware: “Kekw” Malware in Python Packages Could Steal Facts and Hijack Crypto
The extension employs many JavaScript scripts to manipulate users’ browsers while browsing specific cryptocurrency internet websites. It can also customise the appearance of email companies like Gmail, Hotmail and Yahoo to hide its exercise involving the victim’s cryptocurrencies.
The preliminary an infection occurs when a person downloads a ZIP archive file from a fake software portal that contains reputable DLLs and a malicious Setup.exe file.
The malware spreads by unique kinds of internet websites, some of which have hardcoded obtain hyperlinks, even though other people inject a misleading “Download” button utilizing legit ad plugins. Kaspersky highlighted that the QUADS ad plugin had been abused to deliver the Satacom malware.
After the malware is executed, it employs course of action injection procedures to evade detection by antivirus programs. The security authorities explained that the dynamic character of this malware campaign poses difficulties for mitigation and detection.
Based mostly on Kaspersky’s telemetry information, this campaign focuses on particular person users globally. Throughout Q1 2023, Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt and Mexico ended up the nations around the world with the maximum infection frequency.
Users are suggested to physical exercise warning when downloading software from untrusted sources and to retain their antivirus software up to date to protect towards these threats.
The Kaspersky advisory will come a number of months following a US gentleman was charged with fraudulently getting $110m worth of cryptocurrency from Mango Marketplaces – a crypto exchange – and its shoppers.
Some parts of this article are sourced from:
www.infosecurity-magazine.com