Chrome extension caught stealing crypto-wallet private keys
A Google Chrome extension was caught injecting JavaScript code on web pages to steal passwords and private keys from cryptocurrency wallets and cryptocurrency portals.
The extension is named Shitcoin Wallet (Chrome extension ID: ckkgmccefffnbbalkmbbgebbojjogffn), and was launched last month, on December 9.
According to an introductory blog post, Shitcoin Wallet lets users manage Ether (ETH) coins, but also Ethereum ERC20-based tokens -- tokens usually issued for ICOs (initial coin offerings).
Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser's riskier environment.
Malicious behavior breakdown
However, the wallet app wasn't what it promised to be. Yesterday, Harry Denley, Director of Security at the MyCrypto platform, discovered that the extension contained malicious code.
According to Denley, the extension is dangerous to users in two ways. First, any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
Denley says that the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.
Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it's sent to the same erc20wallet[.]tk third-party website.
According to an analysis of the malicious code, the process goes as follows:
- Users install the Chrome extension
- Chrome extension requests permission to inject JavaScript (JS) code on 77 websites [listed here]
- When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
- This JS file contains obfuscated code [deobfuscated here]
- The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
- Once activated, the malicious JS code records the user's login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk
At the time of writing, the extension was still available for download through the official Google Chrome Web Store, where it listed 625 installs.
It is unclear if the Shitcoin Wallet team is responsible for the malicious code, or if the Chrome extension was compromised by a third-party. A spokesperson for the Shitcoin Wallet team did not reply to a request for comment before this article's publication.
Desktop app
On the extension's official website, 32-bit and 64-bit installers were also made available to users.
Scans with VirusTotal, a website that aggregates the virus scanning engines of several antivirus software makers, show both files as clean.
However, numerous comments posted on the wallet's Telegram channel suggest the desktop apps might contain similarly malicious code, if not worse.