August 10, 2024Ravie LakshmananBrowser Security / Online Fraud

There is a widespread malware campaign underway involving the installation of fake extensions for Google Chrome and Microsoft Edge via a trojan distributed through fake websites masquerading as popular software.

“The trojan malware contains various outputs, from simple adware extensions that hijack search queries to more advanced malicious scripts that deliver local extensions to steal private data and execute various commands,” the ReasonLabs research team said in an analysis.

“This trojan malware has been around since 2021 and comes from imitations of download websites with add-ons for online games and videos.”

The malware and its extensions together have a reach of at least 300,000 Google Chrome and Microsoft Edge users, indicating that the activity has a broad impact.

The core of the campaign is the use of malvertising to trick similar websites promoting well-known software such as Roblox FPS Unlocker, YouTube, VLC Media Player, Steam or KeePass into tricking users searching for these programs into downloading a Trojan, which then serves as a channel for the installation of the browser extensions.

The digitally signed malicious installers register a scheduled task which in turn is configured to execute a PowerShell script responsible for downloading and executing the next stage of the payload retrieved from a remote server.

This involves modifying the Windows registry to force installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons. These extensions can hijack Google and Microsoft Bing searches and redirect them through attacker-controlled servers.

“The extension cannot be disabled by the user, even with developer mode ‘ON’,” ReasonLabs said. “Newer versions of the script will remove browser updates.”

It also launches a local extension that is downloaded directly from a command-and-control (C2) server and provides extensive capabilities to intercept all web requests and send them to the server, receive commands and encoded scripts, and inject and load scripts into all pages.

Additionally, it hijacks search queries from Ask.com, Bing and Google and forwards them through the company’s servers to other search engines.

This isn’t the first time similar campaigns have been spotted in the wild. In December 2023, the cybersecurity firm described another torrent-delivered Trojan installer that installs malicious web extensions posing as VPN apps but in reality designed to perform a “cashback activity hack.”