New crypto malware is versatile and extremely dangerous

Getting your Trinity Audio player ready...

Cybersecurity firm Kaspersky Lab has identified a new cryptocurrency malware that could be potentially more dangerous than others previously found. The malware, dubbed Razy due to a file named trojan.win32.razy.gen, can spoof search results and attack browser extensions. As opposed to other crypto malware, it is able to adapt itself based on the Internet browser used by the victim.

Kaspersky researchers Victoria Vlasova and Vyacheslav Bogdanov wrote in a blog post, “Razy serves several purposes, mostly related to the theft of cryptocurrency.” It can search for addresses of crypto wallets on websites and replace them with other addresses, spoof images of QR codes that point to wallets, modify web pages of crypto exchanges and spoof Google and Yandex search results.

Specific to browser use, Razy installs an extension on Firefox, Firefox Protection, that can alter files in two folders, APPDATA and PROGRAMFILES. In Chrome and Yandex, Razy disables the “browser extension integrity check” and proceeds to create registry keys that disable browser updates. Subsequently, the Chrome application can become infected with a variety of extensions, most of which target Chrome Media Router, and the Yandex browser becomes infected with the “Yandex Protect” malware.

The researchers further explain, “Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js… The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.”

The ”firebase” files are legitimate files that belong to the Firebase platform, but are manipulated to send statistics to the malware provider’s Firebase account.

Ultimately, unwitting netizens with an infected computer could visit a webpage, such as Binance.com or pro.coinbase.com and be presented with crypto wallet addresses that aren’t legitimately owned by those entities. Instead, they belong to the provider of the malware. The blog post indicates, however, that the obfuscation works on virtually all web pages, except for those hosted by Google or Yandex.

Even Wikipedia pages are at risk. According to the researchers, “When the user visits Wikipedia, main.js adds a banner containing a request for donations to support the online encyclopedia. The cybercriminals’ wallet addresses are used in place of bank details. The original Wikipedia banner asking for donations (if present) is deleted.”

Kaspersky was able to identify the wallet addresses associated with the malware and determined that, as of its publication on the subject, 0.14 Bitcoin Core (BTC) and 25 Ether (ETH) had been pilfered. That amounts to around $471 BTC and $2,545 ETH at current market prices.