With an increasing number of cybercriminals targeting the crypto world, Google announced on April 15 that it has removed 49 new Chrome browser extensions. These extensions were deleted from Google’s official Web Store that hides the code to hijack unsecured crypto wallets and sensitive information.
These browser extensions were discovered by MyCrypto and PhishFort researchers who suspect the involvement of Russian hackers. In several of these cases, the Chrome extensions had fake 5-star reviews trying to trick innocent users into downloading them. The post published by the experts reads:
“We have found a range of extensions targeting brands and cryptocurrency users. Whilst all the extensions function the same, the branding is different depending on the user they are targeting. The brands we’ve found targeted with malicious extensions are:
- Ledger <https://www.ledger.com/>
- Electrum <https://electrum.org/>
- MyEtherWallet <https://myetherwallet.com>
- MetaMask <https://metamask.io>
- Trezor <https://trezor.io/>
- Jaxx <https://jaxx.io/>
- Exodus <https://www.exodus.io/>
- KeepKey <https://shapeshift.io/keepkey/>”
How They Operate
These chrome extensions are used to steal private keys, mnemonic phrases, and keystore files. Then, these extensions are used to send stolen data to the attackers through a HTTP POST request.
Researchers have discovered up to 14 unique command and control servers that still communicate with the compromised systems. The researchers found that the C2 servers are operated by the same bad individual(s).
“Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain (ledger.productions) has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.”
According to the report by the experts;
- The admin email follows this mask: “b — 0@r — r.ru” — potentially indicating Russia-based actors
- The C2 hosts files other than those to collect the phished secrets
- The server used for this C2 is trxsqdmn
- The first log was 29-Mar-2020 10:43:14 America/New_York
Google removed these malicious extensions within 24 hours after the experts reported this issue. Notably, these fake extensions were published on the Web Store as early as February 2020.
Research also revealed that the criminals did not empty each wallet that they had accessed. They seemingly targeted just the high-value accounts to optimize their efforts and later stole as much funds as possible.
The presence of data-stealing Chrome extensions in the official Web Store is not a new occurrence. In January 2020, the director of security at MyCrypto, Harry Denley, noticed that the Google Chrome extension by the name Shitcoin Wallet was stealing a lot of sensitive information including passwords and wallet private keys.
Google also removed 500 malicious Chrome extensions in February from its Web Store after discovering that these extensions injected malicious ads and stole sensitive data.