Satacom Malware Campaign Steals Crypto Via Stealthy Browser Extension
Satacom downloader, also called as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The Satacom malware is delivered via third-party websites. Some of these sites do not deliver Satacom themselves but use legitimate advertising plugins that the attackers abuse to inject malicious ads into the webpages. The malicious links or ads on the sites redirect users to malicious sites such as fake file-sharing services. The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware attempts to do this by installing an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data. The malic
Technical analysis
Initial infection begins with a ZIP archive file, downloaded from mimic a software portal.This archive contains several legitimate DLLs and a malicious Setup.exe file that the user needs to execute manually to initiate the infection chain.
QUADS plugin being abused to deliver Satacom.The attackers promote ads that look like a “Download” button and redirect users to the attackers’ websites. While click the malicious link its masquerading as a file-sharing service to distribute the malware.
After the user downloads and extracts the ZIP archive, which is about 7MB in size, a few binaries, EXE and DLL files are revealed.
Satacom installer, the Setup.tmp file, once running, creates a new PE DLL file in the Temp directory. After the DLL is created, the child installer loads it into itself and runs a function from the DLL.
It then decrypts the payload of Satacom and creates a new sub-process of ‘explorer.exe’ in order to inject the malware into the ‘explorer.exe’ process.
Malicious browser extension
Satacom downloader downloads various binaries to the victim’s machine. In this campaign we observed a PowerShell script being downloaded that installs a malicious Chromium-based browser extension that targets Google Chrome, Brave and Opera.
The extension installation script is responsible for downloading the extension in a ZIP archive file from a third-party website server. The PowerShell script downloads the archived file to the computer’s Temp directory and then extracts it to a folder inside the Temp directory.
After that, the script searches for the possible locations of shortcuts for each of the targeted browsers in such places as Desktop, Quick Launch and Start Menu. It also configures the locations of the browsers’ installation files and the location of the extension on the computer.
Finally, the PS script recursively searches for any link (.LNK) file in the above locations and modifies the “Target” parameter for all existing browser shortcuts with the flag “–load-extension=[pathOfExtension]” so that the shortcut will load the browser with the malicious extension installed.
Malicious extension analysis
"manifest.json’ file, we’ll see that the extension disguises itself by naming the addon “Google Drive,” so even when the user accesses the browser addons, the only thing they will see is an addon named “Google Drive”, which looks like just another standard Google extension installed inside the browser.
‘background.js’, which is responsible for initializing communication with the C2.
‘injections.js’ script from the extension, which fetches the web inject script from the C2 server.
The server responds with the web inject script that will be used on the targeted websites.
Satacom is a downloader that is still running campaigns and being developed by the threat actor behind it. This threat actor continues to distribute malware families using various techniques, such as ad injection via ad plugins for WordPress websites.
IOC:
Satacom files
0ac34b67e634e49b0f75cf2be388f244
1aa7ad7efb1b48a28c6ccf7b496c9cfd
199017082159b23decdf63b22e07a7a1
Malicious extension ZIP
a7f17ed79777f28bf9c9cebaa01c8d70
What's Your Reaction?
