Cryptominers Leverage Malicious Extensions and Fake Zoom Installers to Raise Revenue for Operators

Pushing cryptominers through extensions

• Shitcoin Wallet, a Chrome extension, injected malicious javascript codes on 77 websites to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals. Some of the affected major crypto platforms included Binance and MyCryptoWallet.
• A total of 49 extensions were removed by Google from its Chrome extension after they were found stealing crypto wallet keys. These extensions posed as genuine crypto wallet apps to trick users.

Other obfuscation techniques

• Cryptojacker hid a Monero cryptominer inside a WAV audio file to infect victims’ networks with crytominers.
• A malvertising campaign launched by the Domen toolkit used a fake VPN service as a lure to trap users into downloading a variety of malware including the IntelRapid cryptominer.
• Amid the COVID-19 pandemic, threat actors used the popularity of Zoom to distribute Coinminer. The malware came bundled with a Zoom installer available on a third-party store.

How are web browsers tackling the threat?

• Google Chrome is working on ‘Safety Check’ feature to clean up malicious extensions including those used for cryptomining. Over the years, Google has taken several measures to crack down on malicious software masquerading as legitimate extensions.
• Mozilla released Firefox 67 to block extensions that enable cryptomining.

For users

• Get familiarized with what permissions each browser extension uses by going to chrome://extensions/ and clicking on the “Details” tab for each extension.
• Never download software from unknown sources.
• Limit extensions to only execute on certain domains.