One of the extensions for Google Chrome, Shitcoin Wallet injects a special JavaScript code into web pages. Using this code, attackers steal passwords and private keys from cryptocurrency wallets and services.
The first problematic addon appeared on December 9th. The extension received the identifier ckkgmccefffnbbalkmbbgebbojjogffn.
Shitcoin Wallet developers claim that the extension allows users to manage Ether (ETH) currency, as well as Ethereum ERC20 tokens.
“Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser’s risky environment”, — says Shitcoin Wallet description.
There is also a similar application for Windows, however, attackers focus on the addon.
In fact, it turned out that Shitcoin Wallet has completely different goals.
According to Harry Danley, head of security for the MyCrypto platform, the extension contains malicious code.
This addon is dangerous for users of the Chrome browser for two reasons:
“First: Any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk. The extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk. Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it’s sent to the same erc20wallet[.]tk third-party website”, — explained Harry Denley.
According to an analysis of the malicious code on ZDNet, the process goes as follows:
- Users install the Chrome extension
- Chrome extension requests permission to inject JavaScript (JS) code on 77 websites
- When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
- This JS file contains obfuscated code
- The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
- Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk
It is unclear whether the Shitcoin Wallet team is responsible for the malicious code or whether the Chrome extension was hacked by a third party. However, for example, the ToTok messenger was almost specially created in collaboration with the UAE special services for total tracking of users.
