A New Malware Campaign Exploits Satacom Downloader to Steal Cryptocurrency
A recent discovery has revealed a new malware campaign that takes advantage of the Satacom downloader, also known as LegionLoader, to distribute a malicious browser extension designed to steal cryptocurrency from unsuspecting victims.
The Satacom Downloader: A Notorious Malware Family
The Satacom downloader has been a prominent malware family since its emergence in 2019. It is notorious for utilizing DNS server queries to retrieve the next stage of malware from another family associated with Satacom.
Distribution and Modus Operandi
This malware is distributed through third-party websites, often using legitimate advertising plugins that are exploited by attackers to inject malicious advertisements into web pages. The main goal of the malware dropped by the Satacom downloader is to steal Bitcoin from victims’ accounts.
The malware achieves this by installing a Chromium-based web browser extension that communicates with a command-and-control (C2) server. This extension uses JavaScript scripts to manipulate users’ browsers while they are browsing targeted cryptocurrency websites. It can also customize the appearance of email services like Gmail, Hotmail, and Yahoo to conceal its activities related to the victim’s cryptocurrencies.
Infection and Spread
The initial infection occurs when a user downloads a ZIP archive file from a fake software portal containing legitimate DLLs and a malicious Setup.exe file. The malware spreads through various websites, some of which have hardcoded download links, while others inject a deceptive “Download” button using legitimate ad plugins. The QUADS ad plugin has been identified as one of the tools used to deliver the Satacom malware.
Challenges for Mitigation and Detection
Once executed, the malware employs process injection techniques to evade detection by antivirus programs. The dynamic nature of this malware campaign poses challenges for mitigation and detection, making it crucial for users to exercise caution when downloading software from untrusted sources and to keep their antivirus software up to date.
Global Impact and Prevention
Based on Kaspersky’s telemetry data, this campaign targets individual users globally, with countries like Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico experiencing the highest infection frequencies. Users are advised to stay vigilant and take necessary precautions to protect themselves from such threats.
This advisory from Kaspersky comes in the wake of a recent incident where a US man was charged with fraudulently acquiring $110 million worth of cryptocurrency from Mango Markets and its customers, highlighting the ongoing risks associated with cryptocurrency theft.