Author: Shan &Thinking@SlowMist Security Team

Background

On March 1, 2024, according to feedback from Twitter user @doomxbt, there was an abnormality in his Binance account and funds were suspected to have been stolen:

(https://x.com/doomxbt/status/1763237654965920175)

At first, this incident did not attract much attention, but on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and found that the victim @doomxbt was suspected to have installed a Chrome There are many good reviews of the malicious Aggr extension in the store! It can steal all cookies on the websites visited by users, and someone paid some influential people to promote it 2 months ago.

 (https://x.com/Tree_of_Alpha/status/1795403185349099740)

This incident has attracted more attention in the past two days. The credentials of the victims were stolen after logging in, and then the hackers stole the victims' cryptocurrency assets through counter-trading. Many users consulted the SlowMist security team about this issue. Next, we will analyze the attack in detail to sound the alarm for the crypto community.

Analysis

First, we have to find the malicious extension. Although Google has already removed the malicious extension, we can see some historical data through snapshot information.

After downloading and analyzing, the JS files in the directory are background.js, content.js, jquery-3.6.0.min.js, jquery-3.5.1.min.js.

During the static analysis process, we found that background.js and content.js did not have too much complex code, nor did they have any obvious suspicious code logic. However, we found a link to a site in background.js, and the data obtained by the plug-in was sent to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

By analyzing the manifest.json file, we can see that background uses /jquery/jquery-3.6.0.min.js and content uses /jquery/jquery-3.5.1.min.js, so let's focus on analyzing these two jquery files:

We found suspicious malicious code in jquery/jquery-3.6.0.min.js, which processes the cookies in the browser through JSON and sends them to the site : https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

After static analysis, in order to more accurately analyze the behavior of the malicious extension sending data, we began to install and debug the extension. (Note: The analysis should be performed in a brand new test environment, without any account logged in, and the malicious site should be changed to a self-controllable one to avoid sending sensitive data to the attacker's server during the test)

After installing the malicious extension in the test environment, open any website, such as google.com, and then observe the network requests in the background of the malicious extension. It is found that Google's cookies data is sent to an external server:

We also see the cookies data sent by the malicious extension on the Weblog service:

At this point, if the attacker obtains user authentication, credentials and other information, using browser extension hijacking cookies, you can carry out knock-on attacks on some trading websites and steal users' crypto assets.

Let's analyze the malicious link sent back: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

Domain name involved: aggrtrade-extension[.]com

Analyze the domain name information in the above picture:

.ru looks like a typical Russian-speaking user, so it is likely to be a Russian or Eastern European hacker group.

Attack timeline:

Analyzing the malicious website aggrtrade-extension[.]com that impersonates AGGR (aggr.trade), we found that hackers began planning the attack three years ago:

Four months ago, hackers deployed the attack:

According to the InMist threat intelligence cooperation network, we found that the hacker's IP is located in Moscow, using a VPS provided by srvape.com, and the email address is [email protected].

After the deployment was successful, the hacker began to promote it on Twitter, waiting for the fish to take the bait. Everyone knows the story behind it. Some users installed the malicious extension and then got stolen.

The following is the official reminder from AggrTrade:

Summary

The SlowMist Security Team reminds users that the risk of browser extensions is almost as great as running executable files directly, so be sure to review carefully before installation. At the same time, be careful of those who send you private messages. Now hackers and scammers like to impersonate legitimate and well-known projects and target content creators in the name of funding and promotion. Finally, when walking in the dark forest of blockchain, always remain skeptical and make sure what you install is safe and does not give hackers an opportunity.