New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions

New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions

Technology

Aug 10, 2024Ravie LakshmananBrowser Security / Online Fraud

New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions

An ongoing, widespread malware campaign has been observed installing rogue Google Chrome and Microsoft Edge extensions via a trojan distributed via fake websites masquerading as popular software.

“The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands,” the ReasonLabs research team said in an analysis.

“This trojan malware, existing since 2021, originates from imitations of download websites with add-ons to online games and videos.”

Cybersecurity

The malware and the extensions have a combined reach of at least 300,000 users of Google Chrome and Microsoft Edge, indicating that the activity has a broad impact.

At the heart of the campaign is the use of malvertising to push lookalike websites promoting known software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass to trick users searching for these programs into downloading a trojan, which serves as a conduit for installing the browser extensions.

The digitally signed malicious installers register a scheduled task that, in turn, is configured to execute a PowerShell script responsible for downloading and executing the next-stage payload fetched from a remote server.

Malware

This includes modifying the Windows Registry to force the installation of extensions from Chrome Web Store and Microsoft Edge Add-ons that are capable of hijacking search queries on Google and Microsoft Bing and redirecting them through attacker-controlled servers.

“The extension cannot be disabled by the user, even with Developer Mode ‘ON,'” ReasonLabs said. “Newer versions of the script remove browser updates.”

It also launches a local extension that is downloaded directly from a command-and-control (C2) server, and comes with extensive capabilities to intercept all web requests and send them to the server, receive commands and encrypted scripts, and inject and load scripts into all pages.

On top of that, it hijacks search queries from Ask.com, Bing, and Google, and funnels them through its servers and then on to other search engines.

Cybersecurity

Users who are affected the malware attack are recommended to delete the scheduled task that reactivates the malware each day, remove the Registry keys, and delete the below files and folders from the system –

  • C:\Windows\system32\Privacyblockerwindows.ps1
  • C:\Windows\system32\Windowsupdater1.ps1
  • C:\Windows\system32\WindowsUpdater1Script.ps1
  • C:\Windows\system32\Optimizerwindows.ps1
  • C:\Windows\system32\Printworkflowservice.ps1
  • C:\Windows\system32\NvWinSearchOptimizer.ps1 – 2024 version
  • C:\Windows\system32\kondserp_optimizer.ps1 – May 2024 version
  • C:\Windows\InternalKernelGrid
  • C:\Windows\InternalKernelGrid3
  • C:\Windows\InternalKernelGrid4
  • C:\Windows\ShellServiceLog
  • C:\windows\privacyprotectorlog
  • C:\Windows\NvOptimizerLog

This is not the first time similar campaigns have been observed in the wild. In December 2023, the cybersecurity company detailed another trojan installer delivered through torrents that installed malicious web extensions masquerading as VPN apps but are actually designed to run a “cashback activity hack.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Read original source here.

Products You May Like

Articles You May Like

Trump attending SpaceX launch with Elon Musk
CFPB expands oversight of Apple Pay, other digital payments services
Kevin Feige Confirms the Fantastic Four for Next ‘Avengers’
Attempted murder suspect arrested in downtown Los Angeles after pursuit – NBC Los Angeles
Three stabbing victims hospitalized in Glendale – NBC Los Angeles