Cybersecurity experts have unveiled a new threat targeting cryptocurrency transactions through a malicious browser extension. Dubbed ‘Silent Swap’ by McAfee Labs, this campaign discreetly alters wallet addresses, posing significant risks to crypto users.
How Silent Swap Operates
The Silent Swap campaign is propagated via unsigned installers in both .NET and Golang versions, deploying a harmful Chromium extension disguised as a legitimate ‘Google Notes’ tool. According to a technical report by McAfee Labs, these installers download a ZIP file that serves as the base for the extension. The extension then scans for Chromium-based browsers, terminating their processes to inject itself by altering secure browser files.
This extension, acting as a clipper, intercepts wallet addresses copied to the clipboard, redirecting funds to a wallet controlled by attackers. To achieve this, it asks users for permissions to access the clipboard, URLs, and browsing history. Given the irreversible nature of blockchain transactions, such swaps can lead to permanent financial losses.
Advanced Evasion Techniques
Silent Swap employs a method known as EtherHiding, utilizing the blockchain as a dead drop resolver to update command-and-control server details. This allows attackers to update server information without redeploying malware. The extension also manipulates protected settings in browsers like Chrome and Edge, enabling developer mode through social engineering to facilitate installation.
By recalculating security verification data, the malware deceives browsers into treating the extension as legitimate. This evasion strategy ensures the extension operates silently, bypassing normal installation processes.
Global Impact and Related Threats
Telemetry data indicates a widespread impact, with significant infection rates in India, the U.S., Brazil, Indonesia, and Spain. This campaign exemplifies the evolution of consumer-targeted crypto theft, moving from static attacker addresses to dynamic, server-side mappings.
In a related disclosure, malicious extensions on Chrome and Firefox, presented as ‘VPN Go: Free VPN,’ have been found to include clipboard stealing capabilities. These extensions not only target wallet addresses but also siphon sensitive data like passwords and authentication codes.
Conclusion and Recommendations
Users are advised to remove any suspicious browser extensions immediately and consider any secrets compromised during their activity. As cyber threats become more sophisticated, vigilance and proactive security measures are essential in protecting digital assets.
