Threat Research

CopperStealer Distributes Malicious Chromium-based Browser Extension to Steal Cryptocurrencies

Securonix

Trend Micro tracks CopperStealer’s new campaign, which distributes a malicious Chromium-based browser extension to steal cryptocurrencies and wallet keys. The operation uses a multi-stage dropper, heavy JavaScript obfuscation, and browser-configuration manipulation to install the extension, exfiltrate API keys, and siphon funds from targeted wallets. hashtags: #CopperStealer #ChromeExtension #Coinbase #Binance #FTX

Keypoints

  • CopperStealer is distributed via fake crack (warez) websites, bundled in password-protected archives with other malware components.
  • The malicious extension targets Chromium-based browsers and uses two distinct extension IDs not found in the official Chrome Web Store.
  • The extension’s CRX package contains a 7-Zip archive; the installer modifies browser Preferences/Secure Preferences and adds the extension to the registry allow-list for auto-start.
  • The JavaScript components are heavily obfuscated with a two-layer process to hinder analysis.
  • Background script contacts the attacker C2, collecting a list of target domains from cookies (e.g., blockchain.com, coinbase.com, binance.com, etc.) and attempts wallet account discovery via API keys stored in the browser.
  • The malware attempts to harvest Coinbase API keys and API secrets from Chrome local storage and may drain up to 85% of wallet balances by transferring funds to attacker wallets.
  • The extension’s content/script flow exploits Coinbase’s API flow (including 2FA prompts) to create API keys with full account permissions and exfiltrates the keys via the C2 channel; the C2 domain uses a DGA-like format and CodeIgniter PHP for infrastructure.

MITRE Techniques

  • [T1189] Drive-by Compromise – The component is spread via fake crack (warez) websites. ‘This component is spread via fake crack (also known as warez) websites.’
  • [T1027] Obfuscated/Compressed Files and Information – Both Javascript files are heavily obfuscated. ‘In the first obfuscation step, all strings are split into substrings, stored in a single array, and access to the array is achieved by calling multiple hexadecimal-named functions with five hexadecimal integer parameters.’
  • [T1112] Modify Registry – The extension installer is added to the extension installation allow list located in the registry. ‘a newly installed extension is also added to the extension installation allow list located in the registry.’
  • [T1071.001] Web Protocols – The background script communicates with a C2 over HTTP; ‘GET request to http:///traffic/chrome’ and ‘POST request to http:///traffic/domain’ with domain data.
  • [T1555.003] Credentials in Web Browsers – The API key/secret are obtained from Chrome’s local storage. ‘This method tries to obtain the API key (apiKey) and API secret (apiSecret) from Chrome’s local storage…’
  • [T1056.003] Input Capture – The content flow captures 2FA codes via a modal window; ‘The modal window has input boxes and listens for oninput events…’
  • [T1041] Exfiltration Over C2 Channel – API keys and wallet data are exfiltrated to the C2 server; ‘exfiltrates them to http:///traffic/step’.
  • [T1583.001] Acquire Infrastructure: Domains (DGA-like) – The C2 uses a DGA-style domain format; ‘C&C domain having the same format as the Domain Generation Algorithm (DGA) domains… 16 hexadecimal characters.’

Indicators of Compromise

  • [Extension IDs] cbnmkphohlaaeiknkhpacmmnlljnaedp, jikoemlnjnpmecljncdgigogcnhlbfkc – two malicious Chrome extension IDs installed in victims’ browsers
  • [URL] http:///traffic/chrome, http:///traffic/domain, http:///traffic/step – C2 and data-exfiltration endpoints
  • [Domain] blockchain.com, coinbase.com, binance.com, ftx.com, okex.com, huobi.com, kraken.com, poloniex.com, crypto.com, bithumb.com, bitfinex.com, kucoin.com, gate.io, tokocrypto.com, tabtrader.com, mexc.com, lbank.info, hotbit.io, bit2me.com, etoro.com, nicehash.com, probit.com – targeted crypto-exchange domains used for reconnaissance and data collection
  • [Archive] crx.7z containing the 7-Zip archive and CRX folder structure; [File] crx.json as a settings file inside the dropper
  • [Path/Component] CRX, Preferences, Secure Preferences, and extension directories under User Data DefaultExtension in Chromium-based browsers

Read more: https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html