Malicious Chrome Extension Steals ‘All Posted Knowledge’ with out Login Credentials

The development of spreading adware, banking Trojans and malicious malware by way of compromised or faux browser extensions appears to be growing. Recently, there have been fairly just a few incidents the place malicious extensions had been used to unfold malware. Cybercriminals usually are not leaving any stone unturned into hijacking add-ons from fashionable browsers similar to Google Chrome to satisfy their nasty aims.

In accordance with Morphus Labs’ chief officer Renato Marinho, one other Google Chrome extension has been hijacked and being distributed to unsuspecting customers by way of phishing emails. The malware can receive all the data that’s posted on-line by the person with out going by way of in depth procedures.

This implies, there isn’t any must click on on an contaminated hyperlink, get login credentials or obtain apps and information to get the system compromised, which exhibits that hackers are consistently improvising their assault techniques. That’s why the malware has been named as Catch-All malware.

A phishing electronic mail containing hyperlinks to footage from a weekend occasion having a topic line within the Portuguese language serves because the an infection vector of this marketing campaign. The message reads:

“Segue as (Fotos Closing de Semana) Enviadas by way of WhatsApp (30244)…. See the (Weekend Pictures) Despatched by way of WhatsApp (30244).”

This electronic mail appears to be despatched by way of fashionable messaging software WhatsApp. The picture hyperlink incorporates malware dropper file titled as “whatsapp.exe, which if executed shows a faux Adobe PDF Reader set up display however downloads and unzips different information titled md0 and md1 after which the “” file is executed. This file is 9.5 Mb zip-compressed and required uncompressing. When it’s uncompressed, two massive information of round 200 MB are launched.

Catch-All Malware Steals All Posted Knowledge with out Utilizing Malicious URLs or Login Credentials

When md0 file is executed, it disables Home windows Firewall and kills all of the processes of Google Chrome to put in the malicious Catch-All extension written in JavaScript. When that is achieved, it extracts the extension and modifies Chrome launcher’s “.Ink” information to load it when the subsequent time it’s executed. All the info posted by the sufferer on any web site is hijacked by the extension and despatched to a C&C server by way of jQuery and Ajax connections.

The malware inserts the next content material on the Google Chrome hyperlink file:

“C:Program Recordsdata (x86)GoogleChromeApplicationchrome.exe” –disable-extensions-file-access-check –always-authorize-plugins –disable-improved-download-protection –load-extension=”C:Customers<USER>AppDataLocalcomplementoE1EDEAE8EFE3E0EEE0DC2610495.” Aside from loading the extension, it additionally disables key safety features on the machine to evade detection in order that the contaminated extension is allowed to carry out its features simply.

In accordance with Marinho, this marketing campaign appears to be restricted to Portuguese talking international locations together with Brazil at present, as a result of not solely the message is written in Portuguese however among the options similar to listing names present in compromised computer systems hints that the malware assaults began in Brazil.

Marinho additionally famous that that is an ongoing marketing campaign that’s certain to say extra victims. He additional acknowledged that browser safety measures similar to TLS or SSL can not defend victims as a result of the extension catches the info in clear textual content format from inside the browser earlier than sending it by way of an HTTPS connection.

Supply: SANS

Share this post

Post Comment