Khaberni - Security researchers have observed a new cyber campaign exploiting a fake trading site called "TradingClaw" to entice victims to download malware known as "Needle Stealer", which is an advanced data-stealing tool that does not only collect passwords or cookies, but can also give attackers almost complete control over the browser itself.
The site, located on the domain "tradingclaw[.]pro", masquerades as an AI-powered trading assistant for the "Trading View" platform, despite not being affiliated with it, in an attempt to leverage the trust users place in digital trading tools.
What is "Needle Stealer"?
The software, written in "Golang", is classified as a standard "information stealer", meaning that attackers can activate different units depending on the target, from stealing browser data and active sessions, to targeting cryptocurrency wallets such as "Meta Mask", "Trezor", and "Ledger".
According to the analysis, the risk is not only limited to stealing information, but also includes hijacking the clipboard, capturing data entered in forms, intercepting downloads, and injecting malicious codes within web pages.
Controlling the browser from within
According to "Malwarebytes", one of the most dangerous aspects of the attack includes the deployment of malicious browser extensions bearing names associated with services similar to Google, planted within the system granting attackers the ability to:
Monitor the browsing history and send it to Command and Control (C2) servers.
Redirect the victim to fake sites without their knowledge.
Replace files being downloaded with malicious ones.
Inject codes into web pages to manipulate the content or steal additional data.
Display fake browser notifications controlled by the attacker.
According to the researchers, these extensions provide "almost complete control over the browser", surpassing the capabilities of traditional theft software.
How does the attack begin?
The attack relies on a "ZIP" file downloaded from the fake site, then uses "DLL Hijacking", or system library file hijacking, to execute the software through a legitimate Windows process called RegAsm.exe, in an attempt to avoid security detection.
It was also observed that the site selectively behaves; showing the malicious page to some visitors, while redirecting others to alternative pages, a common technique to evade detection of the attack infrastructure.
Researchers warn of an increase in the use of fake AI interfaces as bait in attacks, transforming tools that are supposed to aid traders into channels for implanting spyware.
How can you protect yourself?
In this context, the researchers recommend:
Download software from official sites only.
Verify the identity of the publisher of any file before executing it.
Regularly review browser extensions and delete the unfamiliar ones.
Inspect network logs for any connections to suspicious control servers.
Immediately transfer encrypted assets from a clean device if a breach is suspected.
