RateLimited°C
11-05-2024
BSV
$46.46
Vol 17.96m
-0.03%
BTC
$68803
Vol 45694.01m
0.27%
BCH
$338.76
Vol 268.69m
0.37%
LTC
$65.42
Vol 352.82m
-1.66%
DOGE
$0.17
Vol 3767.21m
9.33%
Getting your Trinity Audio player ready...

Cybersecurity firm Kaspersky Lab has identified a new cryptocurrency malware that could be potentially more dangerous than others previously found. The malware, dubbed Razy due to a file named trojan.win32.razy.gen, can spoof search results and attack browser extensions. As opposed to other crypto malware, it is able to adapt itself based on the Internet browser used by the victim.

Kaspersky researchers Victoria Vlasova and Vyacheslav Bogdanov wrote in a blog post, “Razy serves several purposes, mostly related to the theft of cryptocurrency.” It can search for addresses of crypto wallets on websites and replace them with other addresses, spoof images of QR codes that point to wallets, modify web pages of crypto exchanges and spoof Google and Yandex search results.

Specific to browser use, Razy installs an extension on Firefox, Firefox Protection, that can alter files in two folders, APPDATA and PROGRAMFILES. In Chrome and Yandex, Razy disables the “browser extension integrity check” and proceeds to create registry keys that disable browser updates. Subsequently, the Chrome application can become infected with a variety of extensions, most of which target Chrome Media Router, and the Yandex browser becomes infected with the “Yandex Protect” malware.

The researchers further explain, “Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js… The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.”

The ”firebase” files are legitimate files that belong to the Firebase platform, but are manipulated to send statistics to the malware provider’s Firebase account.

Ultimately, unwitting netizens with an infected computer could visit a webpage, such as Binance.com or pro.coinbase.com and be presented with crypto wallet addresses that aren’t legitimately owned by those entities. Instead, they belong to the provider of the malware. The blog post indicates, however, that the obfuscation works on virtually all web pages, except for those hosted by Google or Yandex.

Even Wikipedia pages are at risk. According to the researchers, “When the user visits Wikipedia, main.js adds a banner containing a request for donations to support the online encyclopedia. The cybercriminals’ wallet addresses are used in place of bank details. The original Wikipedia banner asking for donations (if present) is deleted.”

Kaspersky was able to identify the wallet addresses associated with the malware and determined that, as of its publication on the subject, 0.14 Bitcoin Core (BTC) and 25 Ether (ETH) had been pilfered. That amounts to around $471 BTC and $2,545 ETH at current market prices.

Recommended for you

Tether execs draw dividends as threat of US indictment grows
Tether issued its latest quarterly 'attestation' of the reserve assets allegedly backing the $119.4B in issued USDT as of September...
November 5, 2024
Blockchain firm R3 looking for a buyer: report
R3 has raised over $120 million over the years, but broader market conditions have proven tough as its permissioned blockchain...
November 5, 2024
Advertisement
Advertisement
Advertisement