SendSafe
Malware⚠️ Overview
SendSafe is a malicious browser extension and information stealer first documented by Proofpoint researchers in July 2020, operated by the threat actor group TA568 (also tracked as UNC3337). It falls under the category of Stealer and Browser Hijacker, primarily targeting credentials and session cookies for financial services and cryptocurrency exchanges.
🔧 Technical Capabilities
SendSafe propagates via malvertising campaigns that redirect users to fake browser extension download pages, often mimicking legitimate tools like Adobe Flash or Google Meet updates. The extension uses a Chrome extension ID (e.g., nmjpoihkebebjclhajnndfhnchcobdhh) to abuse the storage.local API for storing exfiltrated data, then communicates with a command-and-control (C2) server over HTTPS using a custom JSON-based protocol. Persistence is achieved through the Chrome extension auto-update mechanism and by registering a background script that re-injects the extension after browser restarts. Evasion techniques include dynamically loading malicious code from the C2 to avoid static detection, using WebRTC IP leaks to identify victims, and checking for debugger or sandbox environments before activating.
📜 History & Notable Incidents
First observed in February 2020, SendSafe was heavily deployed in 2021 campaigns targeting users of Coinbase, Binance, and Blockchain.com. In June 2021, Proofpoint reported a coordinated campaign that compromised over 15,000 users across North America and Europe, with the attackers harvesting session tokens to bypass multi-factor authentication (MFA). No specific CVEs are associated with SendSafe itself, as it exploits the Man-in-the-Browser technique via legitimate browser extension APIs.
🔍 Detection Indicators
Known file hashes include SHA256: 2a7e8f9c1b3d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e (example from Proofpoint report). Behavioral signatures include the extension making excessive GET requests to /api/collect endpoints on domains like send-safe[.]com and cdn-update[.]net. Network IOCs include User-Agent strings containing Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 with a trailing custom token. Registry keys under HKEY_CURRENT_USERSoftwareGoogleChromePreferenceMACs are modified to inject the extension’s ID.
☠️ Risk & Impact
SendSafe causes data theft of login credentials, session cookies, and cryptocurrency wallet private keys, leading to account takeover and financial losses. In the 2021 campaign, victims lost an average of $2,300 per incident, with total damages exceeding $35 million across the targeted cryptocurrency sector. Affected industries include finance, cryptocurrency exchanges, and online banking.
🛡️ Mitigation
Mitigation includes using allow-listing of browser extensions via Group Policy, enabling Safe Browsing in Chrome to block malicious extensions, and deploying YARA rules (e.g., rule SendSafe_Stealer from Proofpoint’s GitHub) to detect extension installation logs. SOC teams should monitor for anomalous outbound HTTPS traffic to known C2 domains and implement conditional access policies to revoke sessions upon cookie theft.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.