A recent malware campaign has been discovered that utilizes the Satacom downloader to distribute stealthy malware for cryptocurrency theft. The malware aims to steal BTC from victims’ accounts by injecting malicious code into targeted cryptocurrency websites. The campaign primarily targets users of popular cryptocurrency platforms such as Coinbase, Bybit, KuCoin, Huobi, and Binance, with a focus on users in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico.
The Satacom downloader, also known as Legion Loader, has been previously used as a dropper for various types of malware, including information stealers and cryptocurrency miners. The infection begins when users searching for cracked software are redirected to fraudulent websites hosting ZIP archive files containing the malware. These websites employ different techniques, such as hardcoded download links or injected download buttons through legitimate ad plugins.
Within the archive file, an executable named “Setup.exe” is present, which appears larger in size due to null bytes, aiming to evade detection. Running the binary triggers the malware routine, leading to the execution of the Satacom downloader. The downloader uses DNS requests as a command-and-control method to fetch the URL hosting the actual malware.
The malware campaign utilizes a PowerShell script to download a browser add-on from a remote server. It also modifies browser shortcut files on the compromised system to launch the browser with the downloaded extension. The malicious add-on disguises itself as a Google Drive extension and employs web injections sent by the command-and-control server to manipulate content on targeted cryptocurrency websites and steal cryptocurrencies.
To avoid domain blockades or takedowns, the campaign conceals the command-and-control address within the script and address fields of the most recent Bitcoin transaction associated with a controlled wallet address. The add-on also includes features to conceal email confirmations of fraudulent transactions across Gmail, Hotmail, and Yahoo! services through HTML code injections.
Additionally, the malicious extension has the ability to extract system metadata, cookies, browser history, and screenshots, and receive commands from the command-and-control server. The extension can update its functionality by modifying the C2 server URL through transactions to a specific BTC wallet, allowing threat actors to change the domain in case of bans or blocks by antivirus vendors.
It’s essential for users to be cautious when downloading software from untrusted sources and to ensure their systems are protected with up-to-date security software to prevent falling victim to such malware campaigns.
It gives me much pleasure to be one of the Arab Security Consultants