Google Chrome extension ViperSoftX steals clipboard contents and crypto passwords

According to recent reports, a Google Chrome browser extension called ‘VenomSoftX’ is stealing cryptocurrencies as well as sensitive information such as passwords.

Windows malware used VenomSoftX to steal clipboard contents while users browsed the web.

The ViperSoftX Windows malware is said to have installed this Chrome extension. The malware performed the functions of a JavaScript-based RAT (remote access trojan) and crypto hijacker.

Furthermore, the report revealed that Avast Threat Labs has detected and successfully terminated approximately 93,000 ViperSoftX infection attempts occurring with users from the United States, Italy, India, and Brazil since the beginning of 2022.

Avast examined the wallet addresses hard-coded in ViperSoftX and VenomSoftX samples and discovered that the wallets made nearly $130,000 by November 8, 2022.

According to reports, VenomSoftX stole cryptocurrency by hooking API requests on a few popular cryptocurrency exchanges used by victims.

According to the Avast report:

“When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead.”

VenomSoftX targeted crypto exchanges such as Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin. Surprisingly, the extension also kept an eye on the clipboard in case more wallet addresses were added.

VenomSoftX may also tamper with HTML on websites in order to publicize the user’s crypto wallet address, as well as modify the parts in the background in order to redirect payments to the threat actor.

In addition, the VenomSoftX extension intercepts all API requests to crypto services in order to determine the victim’s assets.

The extension would then increase the transaction amount to the maximum available and withdraw funds over time.