LocalMonero discovers malicious browser extension targeting XMR users
[..] a user reported to us that the address that they specified when opening a trade wasn’t actually the address to which the coins were sent to. [..] this doesn’t work like the clipboard-replacing malware we’ve all heard about. Instead, this malware actually waits until you hit the submit button before replacing the address in a way that’s hidden from you unless it errors out.
The affected user was using the Chrome browser on a Windows machine that was infected with malware (Trojan.BitCoinMiner) undetected by a Windows Defender scan, but reported by MalwareBytes.
According to the LocalMonero team, a malicious Windows system task that was designed to run that [vbscript] file was trying to install the browser extensions on any Chromium-based browsers.
- Firefox-based browsers (including Tor Browser)
- browser launched in private/incognito mode with all extensions disabled
- website accessed in NoJS mode (even on a compromised browser)
- never open unknown links and never trust unknown files
- use Whonix/Tails/Qubes/Linux instead of Windows
- LocalMonero recommends using the Ungoogled Chromium browser
This is an ongoing story and the report will be updated when new information is available.