A recent discovery has unveiled a new malware campaign that takes advantage of the Satacom downloader, also known as LegionLoader, to spread a browser extension designed to steal cryptocurrency. The Satacom downloader, a well-known malware family that first appeared in 2019, is notorious for utilizing DNS server queries to fetch the next stage of malware from a related family associated with Satacom.
This malicious software is typically distributed through third-party websites, sometimes exploiting legitimate advertising plugins that attackers use to inject harmful advertisements into web pages. According to a recent advisory by Kaspersky, the primary goal of the malware distributed by the Satacom downloader is to pilfer Bitcoin (BTC) from victims’ accounts. This is achieved by installing a Chromium-based web browser extension that communicates with a command-and-control (C2) server.
The browser extension utilizes various JavaScript scripts to manipulate users’ browsers when they visit specific cryptocurrency websites. Additionally, it can alter the appearance of email services such as Gmail, Hotmail, and Yahoo to conceal its activities related to the victim’s cryptocurrencies. The infection typically occurs when a user downloads a ZIP archive file from a counterfeit software portal containing both legitimate DLLs and a malicious Setup.exe file.
The malware spreads through different types of websites, some of which feature hardcoded download links, while others insert a deceptive “Download” button using legitimate ad plugins. Kaspersky pointed out that the QUADS ad plugin has been exploited to distribute the Satacom malware. Once executed, the malware utilizes process injection techniques to evade detection by antivirus programs. The ever-changing nature of this malware campaign presents challenges for both mitigation and detection.
Based on Kaspersky’s telemetry data, this campaign primarily targets individual users globally. In the first quarter of 2023, countries such as Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico experienced the highest frequency of infections. Users are strongly advised to exercise caution when downloading software from untrusted sources and to ensure that their antivirus software is regularly updated to safeguard against such threats.
This advisory from Kaspersky follows a recent incident where a US individual was charged with fraudulently obtaining $110 million worth of cryptocurrency from Mango Markets, a crypto exchange, and its customers. Stay vigilant and take proactive steps to protect yourself from these evolving cyber threats.