Cybersecurity researchers have identified an active campaign deploying a malicious browser extension designed to steal cryptocurrency by covertly replacing wallet addresses during transactions. This operation, dubbed ‘Silent Swap’ by McAfee Labs, utilizes unsigned installers to infiltrate systems and compromise user security.
The attack begins with the distribution of unsigned installers, observed in both .NET and Golang variants. These installers deploy a malicious Chromium extension that masquerades as a benign ‘Google Notes’ utility. Once executed, the installer scans the system for Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Vivaldi. For each detected browser profile, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.
The primary function of this rogue extension is to act as a ‘clipper’—a type of malware that monitors the system clipboard for cryptocurrency wallet addresses. When a user copies a wallet address, the clipper replaces it with an attacker-controlled address, effectively rerouting funds to the cybercriminals. To facilitate this, the fake Google Notes extension requests permissions to access the clipboard, all URLs, and browsing history.
One of the distinguishing features of the Silent Swap campaign is its use of a technique called ‘EtherHiding.’ This method leverages the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details. By updating a smart contract value, attackers can point to a new domain without redeploying the malware, enhancing the campaign’s resilience and evasion capabilities.
Additionally, the malware employs sophisticated techniques to covertly install the browser extension. By modifying protected browser settings files and recalculating security verification data, it tricks the browser into recognizing the extension as legitimately installed. This allows the extension to bypass the standard web store installation process and load silently without user approval. Persistence is achieved by altering the browser’s Secure Preferences file, ensuring the extension loads on subsequent browser launches without the need for a separate mechanism.
McAfee Labs has noted that this activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, suggesting that the same threat actor may be behind both operations. The campaign’s deliberate and layered approach focuses on maintaining low visibility to the end user and high resilience against takedown and static analysis.
Given the irreversible nature of blockchain transactions, an address swap can result in permanent financial loss. Users are advised to exercise caution when installing browser extensions and to verify the authenticity of software sources. Regularly updating security software and maintaining vigilance against unsolicited software installations can help mitigate the risk of such sophisticated attacks.