Security researchers at ReasonLabs have discovered a new widespread, ongoing polymorphic malware campaign that forcefully installs malicious browser extensions at endpoints.
The installer and extensions, which are spreading globally, have impacted at least 300,000 users across Google Chrome and Microsoft Edge, modifying the browser’s executables to hijack homepages and steal browsing history.
The trojan malware, which usually goes undetected by antivirus tools, contains different deliverables ranging from simple adware extensions that take over searches to more complex malicious scripts that deliver local extensions to steal private data and carry out various commands on infected devices.
Since 2021, this trojan malware has originated from imitation websites that provide downloads and add-ons for online games and videos.
How Does The Malware Work
ReasonLabs said the infection starts with the victims downloading software installers through fake websites marketed by malvertising in Google Search results. The advertisers use imitations of download sites like Roblox FPS Unlocker, YouTube, VLC Media Player, or KeePass. The executables downloaded from these fake websites do not even attempt to install the intended software but instead deploy trojans.
“Once a user downloads the program from the lookalike website, the program registers a scheduled task using a pseudonym that follows the pattern of a PowerShell script file name, like Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, and NvOptimizerTaskUpdater_V2”, say ReasonLabs researchers.
“It’s configured to run a PowerShell script with a similar-looking name “-File C:/Windows/System32/NvWinSearchOptimizer.ps1″. The PowerShell script downloads a payload from a remote server and executes it on the machine.”
The PowerShell script is written to the system32 folder, which invokes a second-stage script from the C2 directly to memory. When the PowerShell script is finally executed, it adds registry values to force the installation of malicious extensions. These extensions steal search queries and redirect them through the adversary’s search, making them undetectable even with Developer Mode ‘ON’.
The script then installs malicious extensions by modifying Chrome and Edge registry keys, making disabling them even more challenging through regular browser settings. The extensions perform several malicious activities, including hijacking searches from known search engines and redirecting them through attacker-controlled domains before finally showing results from legitimate search engines like Yahoo or Bing.
ReasonLabs reports that the Trojan’s most recent iterations modify core browser DLL files used by Google Chrome and Microsoft Edge to capture the browser’s homepage to one under the threat actor’s control, such as https://microsearch[.]me/.
“The purpose of this script is to locate the DLLs of the browsers (msedge.dll if Edge is the default one) and to change specific bytes in specific locations within it,” explains ReasonLabs.
“Doing so allows the script to hijack the default search from Bing or Google to the adversary’s search portal. It checks which version of the browser is installed and searches the bytes accordingly.”
The ReasonLabs Research Team promptly alerted Google and Microsoft upon discovering the breach. While Microsoft has removed all the identified malicious extensions from its Edge Add-ons Store, some implicated extensions still live on the Google Chrome Web Store.
Meanwhile, users are advised to download extensions only from trusted sources, be cautious about downloading software from unknown websites, and keep their antivirus software up to date.
The post New Trojan Malware Affects 300,000 Chrome & Edge Users appeared first on TechViral.
from TechViral https://ift.tt/SuAlwMC
