Kaspersky has announced that it has discovered Satacom, a campaign that uses a malicious extension in Chrome, Brave and Opera browsers to steal cryptocurrencies. Nearly 30,000 users over the past two months have risked being attacked. The attackers carried out a series of operations malevolent to prevent the extension from being detected while users browse affected cryptocurrency exchange sites, including Coinbase and Binance. Additionally, the extension allows threat actors to hide any successful transaction notifications, which are sent to victims by these sites. The detailed campaign report is available at Securelist.
How it works
The campaign is linked to the Satacom Downloader, a family of malware active since 2019 and mainly distributed via malvertising on third-party sites. Malicious links or ads redirect users to fake file-sharing services and other pages that allow downloading an archive containing the Satacom Downloader. In this specific case, the malicious extension is downloaded. The latest campaign installs a browser extension that steals cryptocurrencies and hides its activity
Cryptocurrencies at risk, Satacom campaign discovered
The goal of the campaign is to steal bitcoin (BTC) from victims’ accounts by performing web injections on specific cryptocurrency sites. However, malware can easily be modified to attack other cryptocurrencies. In fact, it installs an extension for Chromium-based browsers ā such as Chrome, Brave and Opera ā and targets individual users who own cryptocurrencies around the world. According to Kaspersky telemetry, between April and May, nearly 30,000 users risked falling victim to the campaign. The countries most affected in the last two months have been Brazil, Mexico, Algeria, Turkey, India, Vietnam and Indonesia.
Not just cryptocurrency thefts
The malicious extension modifies browsers while the user browses cryptocurrency exchange sites. The campaign affects users of Coinbase, Bybit, Kucoin, Huobi and Binance. In addition to stealing cryptocurrencies, the extension performs additional actions to hide its main activity, such as hiding transaction confirmation emails and modifying existing email threads to create fake threads that look like the real ones.
How the infection spreads
In this campaign, threat actors do not need to find ways to access official extension stores, as they use the Satacom Downloader. The infection begins with a ZIP file, downloaded from a site that simulates software portals, so as to allow the user to download the desired (often cracked) software for free. Satacom usually download various binaries on the victim’s computer. In this case, Kaspersky researchers discovered that it was the PowerShell script that installed the malicious extension in the browser.
Discovery of Satacom, the campaign that steals cryptocurrencies
Subsequently, a series of malicious actions allows the extension to work undisturbedwhile the user surfs the internet. As a result, threat actors are able to transfer BTC from victims’ wallets to their own through the use of web injections.
Check accounts
Haim Zigel, Malware Analyst di Kaspersky
Cybercriminals have enhanced the extension by adding the ability to control it through script modifications. This means they can easily start targeting other cryptocurrencies. Also, since the extension is browser-based, it can affect Windows, Linux, and macOS platforms. As a precaution, users are advised to check their accounts regularly for suspicious activity and use reputable security solutions to protect themselves against threats like these.
Kaspersky recommendations
To maximize the benefits of using cryptocurrencies safely:
- Beware of phishing scams as scammers use phishing emails to trick users into revealing login credentials or private keys. Always check the URL of the site and do not click on suspicious links.
- Non share with none the private keys that open the cryptocurrency wallet.
- Be updated on the latest threats and best practices to protect your cryptocurrencies. The more knowledgeable you are about security, the more you will be able to prevent any cyber attacks.
Satacom discovery
- Before investing in a cryptocurrency, you need to do thorough research on the project and the team behind it. Check the project website, white paper, and social channels to ensure it is legitimate.
- Use security solutions that protect devices from any type of threat. Kaspersky Premium prevents known and unknown cryptocurrency fraud and also from unauthorized use of computer processing power to mine cryptocurrencies.