Cyber security news for all

More

    New Malware Targets 300,000 Users with Malicious Chrome and Edge Extensions

    A large-scale malware campaign has been detected, installing rogue Google Chrome and Microsoft Edge extensions through a trojan spread via fake websites that mimic popular software platforms.

    According to the ReasonLabs research team, “The trojan malware includes various components, from basic adware extensions that hijack search engines to more advanced malicious scripts that deploy local extensions designed to steal private data and execute different commands.”

    “This trojan, active since 2021, originates from counterfeit download websites that offer add-ons for online games and videos.”

    The malware and its associated extensions have collectively affected at least 300,000 users of Google Chrome and Microsoft Edge, highlighting the widespread impact of this activity.

    The campaign primarily relies on malvertising to promote fake websites that appear to offer well-known software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass. These sites deceive users searching for these programs, leading them to download a trojan that subsequently installs malicious browser extensions.

    These digitally signed malicious installers set up a scheduled task configured to run a PowerShell script. This script is responsible for downloading and executing the next-stage payload from a remote server.

    Part of the attack involves altering the Windows Registry to force the installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons. These extensions hijack search queries on Google and Microsoft Bing, redirecting them through servers controlled by the attackers.

    “The user cannot disable these extensions, even with Developer Mode turned ‘ON,'” ReasonLabs noted. “In fact, newer versions of the script prevent browser updates.”

    The malware also installs a local extension directly from a command-and-control (C2) server. This extension has extensive capabilities, such as intercepting all web requests and sending them to the server, receiving commands and encrypted scripts, and injecting scripts into all web pages.

    Additionally, it hijacks search queries from Ask.com, Bing, and Google, routing them through its own servers before redirecting them to other search engines.

    This isn’t the first time similar campaigns have been observed. In December 2023, a cybersecurity company reported another Trojan installer distributed through torrents, which installed malicious web extensions disguised as VPN apps. These extensions were actually intended to carry out a “cashback activity hack.”

    Recent Articles

    Related Stories