Google Chrome extension used to steal crypto-wallet passwords

Shitcoin Wallet extension caught injecting malicious JavaScript to steal passwords from cryptocurrency wallets and portals

Users' login credentials, passwords, private keys, and other valuable information can get stolen once the malicious code is launched. Google Chrome browser extension, crypto-currency wallet, was found to inject malicious script on web pages to steal passwords, private keys, and other valuable data from its users.^[1] The browser add-on was released back on December 9th, and, according to the initial post,^[2] manages Ethereum-based tokens issued for ICO^[3] and Ether cryptocurrency. Users who install the extension can manage such funds within their browser and can also install the Windows desktop app that provides the function of managing the currency outside the web browser.

The malicious behavior was discovered and reported just before the new years by cybersecurity researcher and anti-phishing expert Harry Denley.^[4] In his tweet, he warned users about the suspicious browser extension having the data-stealing feature. According to Denley, it is targeting various websites with users' passwords and private keys to cryptocurrency wallets, including Binance, MyEtherWallet, and other well-known and widely used portals.

Two reasons making Shitcoin Wallet extension malicious

The fairly new browser extension can be dangerous for two different reasons. All funds that are managed via a browser plugin are at risk because the extension sends private keys of all created wallets through the interface related to a third-party website – erc20wallet.tk.

Also, the extension injects JavaScrip code when users navigate to one of the popular cryptocurrency management platforms. The code allows malicious actors to obtain sensitive data like logins, private keys, information that is sent to the same third-party website associated with the browser extension.

This process goes in such order:

• The user installs the ShitcoinWallet Google Chrome extension;
• Add-on asks for permission to inject JavaScript code on the list of websites;
• When the person goes to one of those 77 websites, the extension loads and injects an additional JS file from the erc20wallet.tk website;
• The code searches for open browser windows with cryptocurrency exchanges or network tools to wipe data entered on such sites;
• The JavaScript file contains obfuscated code;
• Once the script gets activated, users' sensitive data gets stolen, and dashboard, other places of the portals get searched for private keys.
• Finally, all the secrets get sent to erc20wallet.tk.

The Windows desktop application also related to questionable codes

The name Shitcoin Wallet should be a dead giveaway that this is a no-good extension, especially for the software managing Ethereum cryptocurrency. However, the extension has over 2,000 users that are now vulnerable to having their data scraped or even compromised. This web-based wallet has versions compatible with other types of browsers, according to developers. However, Shitcoin Wallet is only supported by Chrome right now.

The official website where the application is promoted and distributed, states that desktop app is available for users in 32-bit and 64-bit installers. Many comments of users online report that this version of the Shitcoin Wallet also contains suspicious code, if not worse issues regarding peoples' data and malicious payload droppers.

Unfortunately, this data-stealing extension is not the only incident, including cryptocurrency applications.^[5] Google already removed the Ethereum wallet app MetaMask from its Google Play App store. Such malicious extensions involving cryptocurrency get detected even more often. Security researchers report that cryptojacking applications have been on the rise.^[6]