Illegitimate extensions and the satacom downloader: a new crypto-stealing malware menace

A new malicious software operation has been recently identified, utilizing the Satacom downloader as a vehicle to disseminate covert malware, aimed at covertly extracting cryptocurrencies through an illicit extension for Chromium-based web browsers. The primary objective of the virus, delivered through the Satacom downloader, is to surreptitiously filch Bitcoin from the user's account by executing web injections on particular cryptocurrency websites, as detailed by Kaspersky researchers Haim Zigel and Oleg Kupreev.

Main targets and the introduction of satacom downloader

The campaign predominantly targets users of platforms like Coinbase, Bybit, KuCoin, Huobi, and Binance, with victims predominantly residing in countries such as Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. Also known as Legion Loader, the Satacom downloader was initially identified in 2019, serving as a distributor for subsequent payloads, inclusive of information stealers and cryptocurrency miners.

Infection mechanism and the stealthy execution process

Infection cycles associated with the malware commence when users seeking pirated software are directed towards fraudulent websites that host malware-laden ZIP files. The researchers further elaborate that multiple kinds of websites aid in disseminating the malware. Some of them are inherently malicious websites with an embedded download link, whereas others exploit a legitimate ad plugin to include a 'Download' button. Within the ZIP file is an executable file termed "Setup.exe", roughly 5 MB in size, but it's bloated to approximately 450 MB with null bytes to bypass analysis and detection.

The initiation of this binary file triggers the malware procedure, culminating in the implementation of the Satacom downloader. This uses DNS requests as a command-and-control (C2) method to retrieve the URL hosting the actual malware.

Advanced evasion techniques and malicious browser add-on

The campaign, as documented by Kaspersky, results in a PowerShell script, which fetches the browser add-on from a remote third-party server. This script modifies browser shortcut files in the compromised system and alters the "Target" parameter with the "--load-extension" flag to initiate the browser with the downloaded extension. This add-on cleverly disguises itself as a Google Drive extension and employs web injections transmitted by the C2 server. When the victim visits one of the targeted cryptocurrency websites, the content is manipulated to steal cryptocurrency.

In an advanced evasion strategy, the malicious extension contains scripts to hide the email confirmation of the fraudulent transaction across Gmail, Hotmail, and Yahoo! services via HTML code injection. The victim, consequently, remains oblivious to the illicit transfer made to the attacker's wallet. This add-on also possesses the capability to mine system metadata, cookies, browser history, screenshots of open tabs, and even receive commands from the C2 server.

The C2 server address is hidden within the script and addr fields of the most recent Bitcoin transaction linked with a wallet controlled by the attacker. This technique, also employed by the Glupteba botnet malware, is utilized to circumvent domain blockades or shutdowns. The researchers revealed that the ability of the extension to update its functionality was due to the method employed in retrieving the C2 server via the last transaction of a specific Bitcoin wallet. This wallet can be updated anytime, which permits the attackers to alter the domain URL in case it's barred or blocked by antivirus providers. The advent of this malware coincides with the discovery of several extensions on the Chrome Web Store masquerading as legitimate utilities, designed to disseminate adware and hijack search results to exhibit sponsored links, paid search results, and potentially harmful links. These extensions, while delivering the promised features, contained obfuscated code that permitted a third-party website to inject arbitrary JavaScript code into all websites that a user visited without their consent.