Three malicious Chrome extensions posing as VPN infected were downloaded 1.5 million times, acting as browser hijackers, cashback hack tools, and data stealers.
According to ReasonLabs, which discovered the malicious extensions, they are spread via an installer hidden in pirated copies of popular video games like Grand Theft Auto, Assassins Creed, and The Sims 4, which are distributed from torrent sites.
ReasonLabs notified Google of its findings, and the tech giant removed the offending extensions from the Chrome Web Store, but only after those had amassed a total of 1.5 million downloads.
Specifically, the malicious extensions were netPlus, netSave, and netWin.
Most infections are in Russia and countries like Ukraine, Kazakhstan, and Belarus, so the campaign appears to target Russian-speaking users.
ReasonLabs discovered over a thousand distinct torrent files that deliver the malicious installer file, which is an electron app measuring between 60MB and 100MB in size.
The installation of the VPN extensions is automatic and forced, taking place on the registry level, and does not involve the user or require any action on the victim's side.
Eventually, the installer checks for antivirus products on the infected machine, then drops netSave on Google Chrome and netPlus on Microsoft Edge, covering either use case.
The malicious extensions use a realistic VPN user interface with some functionality and a paid subscription option to create a sense of authenticity.
ReasonLabs points out that the abuse of the 'offscreen' permission enables the malware to run scripts through the Offscreen API and stealthily interact with the web page's current DOM. This extensive access to the DOM enables the extensions to steal sensitive user data, perform browsing hijacks, manipulate web requests, and even disable other extensions installed on the browser.
Another function of the extension is to disable other cashback and coupon extensions to eliminate competition on the infected device and redirect profits to the attackers.
The extensions' communication with the C2 servers involves data exchange concerning instructions and commands, IDing the victim, exfiltrating sensitive data, and more.
This report highlights the massive security issues around web browser extensions, many of which are highly obfuscated to make it harder to determine what behavior they exhibit.
For this reason, you should routinely check the extensions installed in your browser and check for new reviews in the Chrome Web Store to see if others are reporting malicious behavior.
Microsoft: Hackers target defense firms with new FalseFont malware.
New Web injections campaign steals banking data from 50,000 people.
Rhadamanthys Stealer malware evolves with more powerful features.
Qbot malware returns in campaign targeting hospitality industry.
Protect your data with $137 off on the top-rated Windscribe VPN..
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 22 Dec 2023 14:55:16 +0000