High-Risk Phishing Campaign Targets TRON Wallet Users via Fake Chrome Extension

Severity: High (Score: 74.0)

Sources: slowmist.medium.com, Chaincatcher

Summary

A phishing campaign targeting TRON wallet users has been identified, involving a counterfeit Chrome extension masquerading as TronLink. The extension employs Unicode bidirectional control characters and Cyrillic homoglyphs to impersonate the brand name. Once installed, it loads a phishing page through a remote iframe, designed to steal sensitive information such as mnemonic phrases, private keys, and passwords. The malicious extension inherits the user count and positive reviews of a legitimate extension, reducing user suspicion. SlowMist has issued a warning and recommends users uninstall suspicious extensions and monitor for abnormal activity. The attack exploits the limitations of static analysis tools, making detection challenging. Users are urged to take immediate action to secure their wallets. Key Points: • A fake TronLink Chrome extension is stealing sensitive wallet information. • The extension uses sophisticated techniques to impersonate the legitimate brand. • SlowMist advises users to uninstall suspicious extensions and monitor their accounts.

Key Entities

• Phishing (attack_type)
• api.trongrid.io (domain)
• bhex.sg (domain)
• crypto.com (domain)
• tronfind-api.tronfindexplorer.com (domain)
• tronscan.org (domain)
• ce612d027e631d6633582227eb29002f (md5)
• T1071 - Application Layer Protocol (mitre_attack)
• T1566 - Phishing (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Chrome Web Store (platform)
• TronLink (platform)
• Vercel (company)
• 94d651b42355f2b0765a7435e5a5927623807225 (sha1)
• 0cbf4f21cf157227d2c3fba80b64e1f4c3f9d2cc0bf926e024252c35e93edd5a (sha256)
• 6b4a4b64e6f969017cb3a9a71dd3038ddf32b989e5342dbbe36650d5802f2ee4 (sha256)
• b84b89f0a1b7f00431274ac676104acaaa73d440e5731161d1077e733014cc29 (sha256)
• Telegram Bot (tool)