Genel Bakis
Bu ornek, MetaMask kripto cuzdani ve Chrome tarayiciyi hedef alan 84KB'lik uzman bir credential stealer'dir. webextension@metamask.io uzantisini calarken ayni anda Chrome cookie'lerini SQL ile sorgulayan bu malware, Firefox NSS PK11SDR_Decrypt API'si ve Windows DPAPI CryptUnprotectData kullanarak sifreleri cozmektedir.
Teknik Analiz
MetaMask Cuzdani Hedefleme
metamask.iodomain referansiwebextension@metamask.io— MetaMask tarayici uzantisi"webextension@metamask.io":"— Firefox uzanti deposu sorgusu- MetaMask tohumunu (seed phrase) cekmek icin uzanti verisi hedefleniyor
Chrome Cookie Calma
SELECT host_key, path, is_secure, expires_utc, name, encrypted_value FROM cookies
cookies.txt,Web Data,Login DataCryptUnprotectData— DPAPI ile sifre cozmeCryptStringToBinaryA/W,CryptBinaryToStringW
Firefox NSS Sifre Cozme
PK11SDR_Decrypt— Firefox master password gecirmeden sifre cozme
Ayricalik Yukseltme
OpenProcessToken,DuplicateTokenEx,GetTokenInformationCreateProcessWithTokenW— token ile yeni islem baslatma
Teknik Ozellikler
| Ozellik | Value |
|---|---|
| Format | PE32 GUI Intel 80386 |
| Size | 84.480 bayt |
| Hedef | MetaMask, Chrome, Firefox |
| Cookie SQL | SELECT ... FROM cookies |
| Sifre Cozme | DPAPI CryptUnprotectData + PK11SDR_Decrypt |
IOC Ozeti
- Email:
webextension@metamask.io - SHA256:
fa6b29b3dc5d47fd549c0cde37077d1b6cb9cfa888ee8923dd3f14c048cf9853
IOC List (2 indicators)
IOC — MetaMask Stealer
# SHA256
fa6b29b3dc5d47fd549c0cde37077d1b6cb9cfa888ee8923dd3f14c048cf9853
# EMAIL
webextension@metamask.io
| Type | Value | Note |
|---|---|---|
| sha256 | fa6b29b3dc5d47fd549c0cde37077d1b6cb9cfa888ee8923dd3f14c048cf9853 | |
| webextension@metamask.io |