New Malware Campaign Leverages Satacom Downloader to Steal Cryptocurrencies
Malware campaigns have recently been found to be exploitable satacom downloader as a conduit for spreading hidden malware capable of siphoning cryptocurrency using rogue extensions for Chromium-based browsers.
“The main goal of the malware dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into the targeted cryptocurrency websites,” Kaspersky researchers Haim Zigel and Oleg Kupreev said.
The target audience for the campaign includes Coinbase, Bybit, KuCoin, Huobi, and Binance users who are mainly located in Brazil, Algeria, Turkey, Vietnam, India, India, Egypt, and Mexico.
Satacom downloader, also called Legion loaderfirst appeared in 2019 as a dropper for the next stage of payloads, including information stealers and cryptocurrency miners.
An infection chain involving malware begins when a user looking for hacked software is redirected to a fake website that hosts a ZIP archive file containing the malware.
“Various types of websites are used to spread malware,” explained the researchers. “Some of these are malicious websites with hard-coded download links, while others have ‘Download’ buttons injected via legitimate advertising plug-ins.”
Present in the archive file is an executable file called “Setup.exe” which is about 5 MB in size but increased to approx 450 MB with zero bytes in an attempt to avoid analysis and detection.
Launching the binary starts the malware routines, culminating in the execution of the Satacom downloader which, in turn, uses DNS requests as a command-and-control (C2) method to retrieve URLs that host the actual malware.
The campaign documented by Kaspersky points to a PowerShell script, which downloads browser add-ons from a remote third-party server. It also looks for browser shortcut files (.LNK) on compromised hosts and modifies the “Target” parameter with a “–load-extension” flag to launch the browser with the downloaded extension.
What’s more, the add-on masquerades as a Google Drive extension and uses a web injection sent by C2 servers when the victim visits one of the targeted cryptocurrency websites to manipulate content and steal crypto.
The C2 address is hidden in the script and addr fields of the most recent bitcoin transaction associated with actor-controlled wallet addressuses the same technique as the Glupteba botnet malware to overcome domain blocks or takedowns.
“The extension performs various actions on the account to control it remotely using a web inject script, and finally the extension attempts to withdraw BTC currency to the attacker’s wallet,” the researchers said.
As an additional effort to hide its activity, this malicious extension contains scripts to hide email confirmations from fraudulent transactions in Gmail, Hotmail, and Yahoo! services via HTML code injection.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The consequence of this injection is that the victim is not aware that an illegal transfer has been made to the perpetrator’s wallet. Another important aspect of this add-on is its ability to extract system metadata, cookies, browser history, screenshots of opened tabs and even take commands from the C2 server.
“The extension can update its functionality due to the technique used to retrieve the C2 server through the last transaction of a certain BTC wallet, which can be modified at any time by making another transaction to this wallet,” the researchers said.
“This allows threat actors to change domain URLs to other domains if banned or blocked by antivirus vendors.”
Development comes as a number of trap extension masquerading as a legitimate utility has been unearthed in the Chrome Web Store with the ability to spread adware and hijack search results to display sponsored links, paid search results, and potentially malicious links.
The extension, while offering the promised features, contains obfuscated code that allows third-party websites to inject arbitrary JavaScript code into all websites a user visits without their knowledge.
