VenomLockX

VenomLockX is a threatening browser extension, designed with the explicit goal of collecting cryptocurrency. The harmful extension also has a clipper functionality, as a way to monitor the content saved by users in the clipboard of their Windows systems and then substitute any crypto-wallet addresses with ones under the control of the threat actors. The threat is being deployed on victims' devices by another hurtful threat tracked as ViperSoftX, a RAT and crypto hijacker written in JavaScript.

Infection Chain

The ViperSoftX is a threat that was first identified back in 2020, with reports about it being published by researchers, as well as infosec experts. ViperSoftX main infection vectors are weaponized game cracks or activators for paid software tools available for download on torrent platforms. However, the threatening campaign has undergone several important changes, as detailed by a new report released by other researchers.

According to their findings, ViperSoftX attacks intensified in 2022, and by November 8th, the cybercriminals have managed to collect around $130, 000 from their victims. The main targets of the attacks have been users located in the U.S., Italy, India and Brazil. The newer ViperSoftX versions also have started dropping the previously unknown VenomSoftX browser extension.

VenomSoftX Details

The harmful threat can impact Chrome-based browsers, including Chrome, Edge, Opera, Brave, etc. The threat poses as 'Google SHeets 2.1' or ' Update Manager,' which could seem like legitimate and useful applications based on their names alone. In reality, VenomSoftX could provide the threat actors with better chances of collecting cryptocurrencies than the ViperSoftX malware.

Once activated on the device, the browser extension will wait for a certain API to be called and will tamper with the request, resulting in the associated funds being redirected to the attackers. Several of the most prominent crypto services can be impacted - Blockchain.com, Coinbase, Kucoin and Gate.io. The funds in the intercepted transactions will be set to the available maximum, and the cryptocurrencies will be siphoned out from the victims' accounts. The clipboard also will be monitored for additional wallet addresses.

VenomSoftX also is capable of collecting passwords entered on the Blockchain.info website. Information entered on other websites will be checked to see if it matches certain criteria and also will be transmitted to the threat actors.

One sign of the presence of VenomSoftX on the system is to check its location. The legitimate Google Sheets is typically installed in Chrome as an application under chrome://apps/ and is not classified as an extension. This means that if you find a Google Sheets entry listed on the browser's extension page, it may be best to remove it as soon as possible.