12 August 2024

Massive malware campaign force-installs malicious Chrome extensions on browsers


Massive malware campaign force-installs malicious Chrome extensions on browsers

A large-scale malware campaign has compromised over 300,000 Google Chrome and Microsoft Edge browsers, force-installing malicious extensions that hijack homepages, steal browsing history, and execute unauthorized commands on infected devices, according to cybersecurity researchers at ReasonLabs.

The malware is delivered through fake websites mimicking popular download sites, such as those offering utilities like Roblox FPS Unlocker, YouTube video downloaders, VLC media player, and KeePass password manager. The fraudulent sites trick users into downloading what appears to be legitimate software, but instead, the downloads contain malware designed to install harmful extensions.

The researchers said that the malware is polymorphic, meaning it can change its code to avoid detection by security software. The malware's digital signatures, such as those from 'Tommy Tech LTD', have successfully evaded detection by all antivirus engines on platforms like VirusTotal at the time of analysis.

The malware, which has been in circulation since 2021, leverages a variety of sophisticated techniques to evade detection by antivirus engines. Once installed, the malware registers a scheduled task using a PowerShell script, which then downloads a payload from a remote server. This payload proceeds to install malicious extensions directly into the browser.

The installed extensions are capable of hijacking search queries, changing the user's homepage, and redirecting searches through servers controlled by the threat actors. This allows the attackers to steal browsing history, capture login credentials, and monitor online activities. Moreover, the extensions can execute commands received from a command-and-control (C2) server, further compromising the infected device.

The malicious extensions remain hidden from the browser's extension management page, even when developer mode is enabled. Additionally, newer variants of the malware have been observed tampering with browser DLL files. All this makes detection and removal extremely difficult for the average user, the researchers noted.

Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024