A new malware campaign has been discovered that exploits the Satacom downloader, also known as LegionLoader, to distribute browser extensions designed to steal cryptocurrencies.
Satacom Downloader, a notorious malware family that emerged in 2019, is known to use DNS server queries to fetch the next malware stage from another family related to Satacom.
The malware is distributed through third-party websites and sometimes leverages legitimate advertising plugins exploited by the attackers to inject malicious advertisements into webpages.
According to Kaspersky’s new advisory, the main purpose of the malware dropped by Satacom downloader is to steal Bitcoin (BTC) from victims’ accounts. This is accomplished by installing her Chromium-based web browser extension that communicates with a command and control (C2) server.
Crypto Stealing Malware Details: Python Package ‘Kekw’ Malware Can Steal Data, Hijack Cryptos
The extension uses various JavaScript scripts to manipulate the user’s browser while browsing the targeted cryptocurrency website. It can also customize the appearance of email services such as Gmail, Hotmail, and Yahoo to hide victims’ cryptocurrency-related activities.
The initial infection occurs when a user downloads a ZIP archive file containing a legitimate DLL and a malicious Setup.exe file from a rogue software portal.
The malware spreads through various types of websites, some with hard-coded download links and others that use legitimate advertising plugins to insert deceptive “download” buttons There is also a website. Kaspersky emphasized that the QUADS advertising plugin was abused to deliver his Satacom malware.
Once the malware is executed, it uses process injection techniques to evade detection by antivirus programs. Security experts said the dynamic nature of this malware activity poses challenges to mitigation and detection.
Based on Kaspersky telemetry data, the campaign focuses on individual users around the world. In Q1 2023, the countries with the highest frequency of infection were Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt and Mexico.
Users are advised to be careful when downloading software from untrusted sources and to keep their antivirus software up to date to protect against such threats.
Kaspersky’s recommendation comes months after an American man was charged with illegally obtaining $110 million worth of cryptocurrency from cryptocurrency exchange Mango Market and its customers.
