Novel Malware Impacts 300,000 Users through Unauthorized Chrome and Edge Extensions

Aug 10, 2024Ravie LakshmananBrowser Security / Online Fraud

A dynamic and prevalent malware campaign has been identified, deploying unauthorized Google Chrome and Microsoft Edge extensions via a trojan disseminated through counterfeit websit

Aug 10, 2024Ravie LakshmananBrowser Security / Online Fraud

New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions

A dynamic and prevalent malware campaign has been identified, deploying unauthorized Google Chrome and Microsoft Edge extensions via a trojan disseminated through counterfeit websites posing as popular software destinations.

According to an analysis by the ReasonLabs research group, the trojan malware showcases various payloads, from basic adware add-ons that hijack search functions to intricate harmful scripts that distribute local extensions for data theft and command execution.

ReasonLabs reported, “This trojan malware, which has been active since 2021, emerges from counterfeit download portals offering addons for online gaming and video content.”

The malware and extensions collectively impact over 300,000 users of Google Chrome and Microsoft Edge, underscoring the extensive repercussions of this activity.

Central to this campaign is the exploitation of malvertising to promote replica websites endorsing popular software applications like Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass, deceiving users into downloading a trojan instead, paving the way for extension installation.

The digitally signed malicious installers establish a scheduled task that subsequently triggers a PowerShell script responsible for downloading and executing the subsequent payload obtained from a remote server.

This also involves adjusting the Windows Registry to enforce extension installations from Chrome Web Store and Microsoft Edge Add-ons, enabling the hijacking of search queries on Google and Microsoft Bing, rerouting them through hacker-controlled servers.

ReasonLabs explained, “Users cannot deactivate the extension, even with Developer Mode ‘ON.’ Later iterations of the script eliminate browser updates.”

Moreover, it initiates a nearby extension directly downloaded from a command-and-control (C2) server, equipped with robust capabilities to intercept all web requests, transmit them to the server, obtain commands and encrypted scripts, and insert and execute scripts on all pages.

Furthermore, it intercepts search queries from Ask.com, Bing, and Google, channels them through its servers, and eventually redirects them to other search engines.

Similar campaigns have been previously documented in the wild. In December 2023, the cybersecurity firm elucidated another Trojan installer disseminated via torrents, installing malicious web extensions disguised as VPN applications, but intended to conduct “cashback activity hacks.”

Found this article intriguing? Follow us on Twitter and LinkedIn for more exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts