A particularly nasty crypto-stealing malware has been given a facelift to make it even more dangerous, researchers claim.
Usually, ViperSoftX would check the contents of the infected endpoint’s clipboard and if the victim copied and pasted the address of a cryptocurrency wallet, it would replace the clipboard’s with that of the attackers. That way, when the victims send their money, they end up in the hands of the attackers.
Fake Google Sheets add-on
Cryptocurrency addresses are a long string of seemingly random characters, making this type of hijack relatively successful. The add-on basically does the same thing, but a little more efficiently. It’s called Google Sheets 2.1, to dispel any suspicion of good intentions with the victims.
“VenomSoftX primarily does this (stealing crypto) by linking API requests to a few very popular crypto exchanges that victims have an account with or visit,” the researchers said. “For example, when a particular API is called to send money, VenomSoftX tampers with the request before sending it to redirect the money to the attacker instead.”
Avast says the trojan is targeting multiple major crypto players, such as Coinbase, Binance, Kucoin, Gate.io, and Blockchain.com. It doesn’t stop there though – it also monitors the clipboard for any other wallets that get pasted.
There are two terrifying details about VenomSoftX, one that can modify the HTML extension on websites to display the address of the victim’s cryptocurrency wallet. In other words, even a visual inspection of the address after pasting will not help. In addition, the malware intercepts all API requests to the services and sets the transaction amount to the maximum. That way, even if the victim makes a test transaction first (a small transaction of say $10), the victim still loses all their money.
And finally, for Blockchain, it will try to steal the password, if the victim enters it on the site.
So far, the researchers say, the attackers have managed to steal about $130,000 worth of various cryptos. We don’t know how many people have been infected, but we do know that most of the victims are in the US, Italy, Brazil and India.
There is no such thing as Google Sheets 2.1, so if you see this add-on installed, make sure you uninstall it immediately.
Via: Bleeping Computer (opens in new tab)