Virus descriptions, 11/23/2022, 12:00 PM
Avast has warned that a well-known Windows malware, ViperSoftX, installs a dangerous extension that steals data into web browsers based on Chromium.
The rogue browser add-on was named VenomSoftX by Avast for its standalone features that allow it to access all visited websites, steal credentials and other data, and even change cryptocurrency addresses.
ViperSoftX was first noticed in February 2020. The malware is described as a remote access trojan and cryptocurrency theft malware.
Malware using browser extensions to gather information was noticed earlier this year.
ViperSoftX is commonly distributed using cracked Adobe Illustrator and Microsoft Office software found on file-sharing sites.
The downloaded executable comes with a clean version of the cracked software along with additional files that ensure persistence on the infected computer and contain the ViperSoftX PowerShell script.
Newer variants of the malware can load the VenomSoftX plugin, which is downloaded from the attacker’s server, into browsers such as Google Chrome, Microsoft Edge, Opera, Brave and Vivaldi.
The extension tries to disguise itself as a well-known and common extension such as Google Sheets. A similar tactic with loading the extension was used by a well-known data stealing malware ChromeLoader (Choziosi Loader ili ChromeBack).
VenomSoftX, as well as ViperSoftX, can steal cryptocurrency from their victims, it’s just the ways they do it are different. Services targeted by the extension include Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.
Avast says it has detected and blocked over 93,000 infections since the start of 2022, with the majority of affected users located in India, the US, Italy, Brazil, the UK, Canada, France, Pakistan and South Africa.
As of November 8, 2022, this operation netted cybercriminals around $130,000 in various cryptocurrencies, according to the Czech company.
Photo by Anete Lusina from Pexels