This nasty Google Chrome extension is after your crypto and your passwords

(Image credit: Future)

A particularly nasty crypto-stealing malware has gotten a facelift to make it even more dangerous, researchers have claimed.

Cybersecurity experts from Avast have warned the ViperSoftX Windows malware, a JavaScript-based RAT that’s been around for more than two years, has been upgraded to also install a Chrome browser add-on.

Usually, ViperSoftX would monitor the clipboard contents of the infected endpoint, and if it spots the victim copying and pasting a cryptocurrency wallet address, it would replace the one from the clipboard, with the one belonging to the attackers. That way, when the victim sends their funds, they end up at the hands of the attackers.

Fake Google Sheets add-on

Cryptocurrency addresses are a long line of seemingly random characters, which makes this type of hijacking relatively successful. The add-on does basically the same thing, but somewhat more efficiently. It’s named Google Sheets 2.1, to remove any suspicion of its good intentions for the victims. 

"VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims visits/have an account with," the researchers said. "When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead."

Avast says the trojan targets multiple major crypto players, such as Coinbase, Binance, Kucoin,, and However, it doesn’t stop there - it also keeps an eye on the clipboard for any other wallets being pasted. 

There are two frightening details about VenomSoftX, one that the extension can modify HTML on websites, to display the victim’s cryptocurrency wallet address. In other words, even a visual inspection of the address, after pasting, won’t help. What’s more, the malware will intercept all API requests to the services, and set the transaction amount to the maximum. That way, even if the victim first goes with a test transaction (a small transaction of, say, $10), they will still lose all of their funds. 

And finally, for Blockchain, it will try to steal the password, if the victim enters it on the site.

So far, the researchers are saying, the attackers managed to steal some $130,000 worth of various cryptos. We don’t know how many people were infected, but we do know that most victims are located in the US, Italy, Brazil, and India. 

There is no such thing as Google Sheets 2.1, so in case you see this add-on installed, make sure to remove it immediately.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.