A recent malware campaign has been discovered that exploits the Satacom downloader as a means to deploy discreet malware capable of stealing cryptocurrency by using a deceptive extension for Chromium-based web browsers.
“The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites,” Kaspersky researchers Haim Zigel and Oleg Kupreev said.
Satacom Downloader
The campaign focuses on users of popular platforms such as Coinbase, Bybit, KuCoin, Huobi, and Binance, primarily in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico.
The infection starts when individuals searching for cracked software are redirected to fake websites hosting ZIP archive files containing the malware.
The researchers explained that “various types of websites are employed to distribute the malware, including malicious sites with hardcoded download links and legitimate ad plugins injecting a “Download” button.”
As per Securelist ,Inside the archive file is an executable named “Setup.exe,” approximately 5 MB in size. The file is inflated with null bytes to evade detection and analysis, making it around 450 MB in total.
Once the malware is executed, it employs process injection techniques to evade detection by antivirus programs. The security experts said that the dynamic nature of this malware campaign poses challenges for mitigation and detection.
Satacom, due to its nature as a browser extension, can be installed on Chromium-based browsers across different platforms. Although the installation process and infection chain outlined in this article pertain specifically to Windows, if the threat actors target Linux and macOS users, they can easily do so if the victims use Chromium-based browsers.
Indicators of Compromise as per securelist
Satacom files
0ac34b67e634e49b0f75cf2be388f244
1aa7ad7efb1b48a28c6ccf7b496c9cfd
199017082159b23decdf63b22e07a7a1
Satacom DNS
dns-beast[.]com
don-dns[.]com
die-dns[.]com
Satacom C2
hit-mee[.]com
noname-domain[.]com
don-die[.]com
old-big[.]com
Hosted PS scripts
tchk-1[.]com
Malicious extension ZIP
a7f17ed79777f28bf9c9cebaa01c8d70
Malicious extension CC
you-rabbit[.]com
web-lox[.]com
Hosted Satacom installer ZIP files
ht-specialize[.]xyz
ht-input[.]cfd
ht-queen[.]cfd
ht-dilemma[.]xyz
ht-input[.]cfd
io-strength[.]cfd
fbs-university[.]xyz
io-previous[.]xyz
io-band[.]cfd
io-strength[.]cfd
io-band[.]cfd
can-nothing[.]cfd
scope-chat[.]xyz
stroke-chat[.]click
icl-surprise[.]xyz
new-high[.]click
shrimp-clock[.]click
oo-knowledge[.]xyz
oo-station[.]xyz
oo-blue[.]click
oo-strategy[.]xyz
oo-clearly[.]click
economy-h[.]xyz
medical-h[.]click
hospital-h[.]xyz
church-h[.]click
close-h[.]xyz
thousand-h[.]click
risk-h[.]xyz
current-h[.]click
fire-h[.]xyz
future-h[.]click
moment-are[.]xyz
himself-are[.]click
air-are[.]xyz
teacher-are[.]click
force-are[.]xyz
enough-are[.]xyz
education-are[.]click
across-are[.]xyz
although-are[.]click
punishment-chat[.]click
rjjy-easily[.]xyz
guy-seventh[.]cfd
Redirectors to Satacom installer
back-may[.]com
post-make[.]com
filesend[.]live
soft-kind[.]com
ee-softs[.]com
big-loads[.]com
el-softs[.]com
softs-labs[.]com
soft-make[.]com
soft-end[.]com
soon-soft[.]com
tip-want[.]click
get-loads[.]com
new-loads[.]com
file-send[.]live
filetosend-upload[.]net
file-send[.]cc
Leave A Comment