Researchers discovered that a malicious Chrome extension dubbed “Bull Checker” had been targeting people on multiple Solana-related subreddits.
The Jupiter exchange issued a warning, following complaints from multiple Solana decentralized finance customers of their cryptocurrency wallets being drained.
With this extension, users could still interact with the dApps and see the simulation as usual, but there would also be a chance that their tokens would be maliciously transferred to a different wallet at the end of a transaction.
Identification Of Malicious Extension
Further examination of different impacted individuals who got drained by the same program reveals that “Bull Checker,” an extension with the ability to read and modify any data on the website, maybe the cause.
The purpose of Bull Checker is to be a read-only extension that lets you see who has memecoins. This kind of extension cannot be required to read or write data on any website.
Although this ought to have raised a serious warning sign for users, it appears that a number of them kept installing and using the extension.
The report says Bull Checker waits to modify the transaction transmitted to the wallet for signature until the user engages with a regular dApp on the official domain after installation. The simulation outcome will remain “normal” and not show up as a drainer after the modification.
Researchers found that the anonymous Reddit user “Solana_OG” promoted “Bull Checker.” This individual seemed to persuade users into downloading the extension by posing as someone looking to trade memecoins.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Recommendation
There may be more harmful extensions available. Uninstall an extension immediately if you think it might be malicious, especially if it has both “read” and “change” rights.
Never believe anything just because it has received a lot of upvotes and has been mentioned on Reddit or another media platform. Extensions that ask for a lot of permissions should be taken very seriously.
All of your website’s data shouldn’t have to be read and altered by an extension like Bull Checker.
Furthermore, SafeGuard, a new guard instruction feature from Blowfish, stops any simulation spoofing attempts. It is being used by several Solana wallets and will stop such attacks in the future.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial