Recently, a code was found injected in a Google Chrome extension named “Shitcoin Wallet” for stealing the passwords and private keys cryptocurrency wallets and cryptocurrency portals. This malicious extension was launched on December 9th with Chrome extension ID “ckkgmccefffnbbalkmbbgebbojjogffn”. So far, the extension is still available for download through the official Google Chrome Web Store. “Shitcoin Wallet” is a Google Chrome extension that allows users to manage both Ether (ETH) coins and Ethereum ERC20-based tokens within their browser or the Windows desktop app. The Ethereum ERC20-based tokens usually issued for ICOs (Initial Coin Offerings). However, this wallet app was found that it contained malicious code on December 31st. This extension can endanger users in 2 ways:
- Because the extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk, any funds including ETH coins and ERC0-based tokens managed directly inside the extension are at risk.
Here is the process of getting affected by the malicious code:
- Users install the Chrome extension
- When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
- This JS file contains obfuscated code [deobfuscated here]
- The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
- Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk