A Google Chrome extension named “VenomSoftX” is being used to steal cryptocurrency from wallets and breach passwords. The malware has been tracked over 93,000 times so far in 2022.
What does VenomSoftX do?
VenomSoftX overlaps with ViperSoftX, another malware that has been tracked for some time. VenomSoftX, however, provides full access to every page the victim visits, carries out man-in-the-browser attacks to swap wallet addresses, tampers with API requests and website visit history logs, etc.
The malware spreads mostly through Adobe Illustrator, Microsoft Office, and Corel Video Studio.
ViperSoftX, distributes a specific information stealer in the form of a browser extension for Chromium-based browsers. Due to its standalone capabilities and uniqueness, we decided to give it its own name, VenomSoftX.
The malicious extension provides full access to every page the victim visits, carries out man-in-the-browser attacks to perform cryptocurrency addresses swapping by tampering with API requests’ data on popular cryptocurrency exchanges, steals credentials and clipboard content, tampers with crypto addresses on visited websites, reports events using MQTT to the C&C server, and more.
Newer versions of ViperSoftX information stealer are capable of loading a custom malicious browser extension to
Chromium-based browsers installed on infected computers. The extension is provided by the C&C server. The extension is basically another standalone information stealer, we are calling VenomSoftX, but is installed by ViperSoftX, as described below. The extension disguises itself as various popular browser extensions to avoid user detection.
Installing the extension
ViperSoftX’s approach is simple. The malware downloads a
VenomSoftX PowerShell installer from the C&C server e.g. by base64-decoding a hardcoded request metadata directly from the PowerShell script, following a request to:
depending on the malware version. This can hold different payloads, but we will focus on the VenomSoftX browser extension.
After the installer script is downloaded from the C&C server and the
VenomSoftX browser extension is extracted, the installer searches several locations for .lnk files and if such a link file belongs to
Edge, it modifies the link file with a parameter
--load-extension=<path_to_the_malicious_extension>. This way, when the user starts their favorite browser, they actually load the malicious extension with it.
The extension ID is randomly generated, provided random lowercase characters to represent the extension folder