A new malware campaign has been discovered that exploits the Satacom downloader, also known as LegionLoader, to distribute a browser extension designed to steal cryptocurrency.
The Satacom downloader, a notorious malware family that emerged in 2019, is known for using DNS server queries to retrieve the next malware stage from another family associated with Satacom.
The malware is distributed through third-party websites, sometimes leveraging legitimate advertising plugins exploited by attackers to inject malicious advertisements into web pages.
According to a new advisory by Kaspersky, the main objective of the malware dropped by the Satacom downloader is to steal Bitcoin (BTC) from victims’ accounts. It achieves this by installing a Chromium-based web browser extension that communicates with a command-and-control (C2) server.
The extension employs various JavaScript scripts to manipulate users’ browsers while browsing targeted cryptocurrency websites. It can also customize the appearance of email services like Gmail, Hotmail and Yahoo to hide its activity involving the victim’s cryptocurrencies.
The initial infection occurs when a user downloads a ZIP archive file from a fake software portal containing legitimate DLLs and a malicious Setup.exe file.
The malware spreads through different types of websites, some of which have hardcoded download links, while others inject a deceptive “Download” button using legitimate ad plugins. Kaspersky highlighted that the QUADS ad plugin had been abused to deliver the Satacom malware.
Once the malware is executed, it employs process injection techniques to evade detection by antivirus programs. The security experts said that the dynamic nature of this malware campaign poses challenges for mitigation and detection.
Based on Kaspersky’s telemetry data, this campaign focuses on individual users globally. During Q1 2023, Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt and Mexico were the countries with the highest infection frequency.
Users are advised to exercise caution when downloading software from untrusted sources and to keep their antivirus software up to date to protect against such threats.
The Kaspersky advisory comes a few months after a US man was charged with fraudulently acquiring $110m worth of cryptocurrency from Mango Markets – a crypto exchange – and its customers.