A known malware called ViperSoftX Windows malware has been upgraded and is now much more dangerous, according to experts from Avast.

The JavaScript-based RAT has been active for over two years and can now install a Chrome browser add-on.

ViperSoftX is sneaky in its method of attack. The malware would look at clipboard contents of the endpoint it infected. If it notices that a user is copying and pasting a cryptocurrency wallet address, it would replace the currently copied address with the address of the hackers. That way when all is said and done, the funds would get transferred to the attackers without the victim even knowing.

Cryptocurrency addresses are long lines of random characters, which makes fraud hard to detect. A fake Google Sheets add-on basically does the same thing, just with more efficiency.

“VenomSoftX mainly does this (steals crypto) by hooking API requests on a few very popular crypto exchanges victims visits/have an account with,” the researchers said. “When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker itself.”

This malware targets sites like Coinbase, Binance, Kucoin, Gate.io and Blockchain.com.

According to the researchers, there are two details about VenomSoftX to note. The first is that it can modify HTML on webpages to display the victim’s crypto wallet address. Secondly, VenomSoftX will intercept API requests to the services and set the transaction amount to the maximum. Even if the victim is just doing a very small test transaction, they would still lose all of their funds.

For Blockchain, the malware will try to steal the victims’ password, should they try to enter it on the site.

So far, researchers say that attacks have stolen $130,000 worth of various crypto funds from users in the US, Italy, Brazil and India.

Story via TechRadar