New “Silent Swap” Malware Campaign Targets XRP and BTC via Fake Google Extension

McAfee researchers detected Silent Swap
Table of Contents

TL;DR:

  • McAfee Advanced Threat Research discovered the malware campaign dubbed “Silent Swap.”
  • The malicious software uses a fake Google Notes extension on Chromium browsers.
  • The campaign registers a high volume of global infections, concentrating in India.

Cybersecurity researchers at McAfee detected Silent Swap, a sophisticated malware campaign designed to divert Bitcoin and XRP transfers by manipulating Chromium-based browsers. The company’s technical report indicates that attackers manage to intercept users’ clipboards to substitute legitimate wallet addresses with wallets controlled by the attack operators.

The initial infection occurs through the download of modified installers. The McAfee report details that these executable files, developed in .NET or Golang languages, are typically distributed under the guise of free programs or cracked versions of commercial software.

Once the user runs this installer on their operating system, the malicious component deploys automatically into local storage. The technical report specifies that this process directly alters the internal configuration files of the victims’ browser application.

McAfee researchers detected Silent Swap.

Advanced Evasion and Persistence Techniques

The malware injects an extension that simulates being a legitimate “Google Notes” tool. According to McAfee’s data, the malicious software has the ability to evade standard defenses of browsers like Chrome, Microsoft Edge, Brave, and Opera by autonomously recalculating the security verification values that these systems require after undergoing internal modifications.

“The fake extension grants itself invasive permissions within the system once installed,” the cybersecurity firm’s report indicates.

Unlike traditional clipper-type trojans, which contain fixed addresses within their code, this system utilizes a dynamic infrastructure. When the code detects that the user has copied an address matching the patterns for BTC, ETH, XRP, Bitcoin Cash, or Dash, it queries the attacker’s server directly.

McAfee analysts point out that the server returns an alternative address in real time that matches the detected cryptocurrency. This mechanism makes tracking difficult for security analysts due to the constant rotation of the receiving wallets.

The attack infrastructure does not rely on static domains either. According to McAfee’s documentation, the operators employ a technique known as “EtherHiding,” which allows them to conceal command and control (C2) instructions within smart contracts on publicly accessible blockchain networks. The firm’s geographical analysis determined that the campaign maintains a global reach, identifying an especially high volume of compromised systems in the India region during the monitoring phases of the first half of this year.

RELATED POSTS

Ads

Follow us on Social Networks

Crypto Tutorials

Crypto Reviews