New malware targets 300,000 users via rogue Chrome and Edge extensions

August 10, 2024Ravi LakshmananBrowser Security / Online Scams

A widespread malware campaign has been observed installing fake Google Chrome and Microsoft Edge browser extensions via a Trojan that is distributed via fake websites disguised as popular software.

“The Trojan malware contains various components, from simple advertising extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands,” the ReasonLabs research team stated in its analysis.

“This Trojan malware, existing since 2021, comes from imitating download websites with add-ons for online games and movies.”

The malware and extensions have a combined reach of at least 300,000 Google Chrome and Microsoft Edge users, indicating that the activity is widespread.

The campaign is based on the use of malicious ads to promote fake websites promoting well-known software such as Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass. The goal is to trick users looking for these programs into downloading a Trojan that serves as a conduit for installing browser extensions.

Digitally signed malicious installers register a scheduled task, which in turn is configured to execute a PowerShell script responsible for downloading and executing the next stage payload downloaded from a remote server.

This includes modifying the Windows registry to force installation of extensions from the Chrome Web Store and Microsoft Edge browser add-ons that can hijack search queries in Google and Microsoft Bing search engines and redirect them through attacker-controlled servers.

“The extension cannot be disabled by the user, even with developer mode enabled,” ReasonLabs said. “Newer versions of the script remove browser updates.”

It also runs a local extension downloaded directly from the command and control (C2) server and offers extensive capabilities to intercept all network requests and send them to the server, receive commands and encrypted scripts, and inject and load scripts on all pages.

What’s more, it intercepts search queries from Ask.com, Bing, and Google and passes them through its servers and then to other search engines.

This isn’t the first time similar campaigns have been observed in the wild. In December 2023, the cybersecurity firm described another Trojan installer delivered via torrents that installs malicious web extensions that disguise themselves as VPN apps but are actually designed to perform “cashback hacking.”