Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users

The ReasonLabs Research Team has discovered a widespread polymorphic malware campaign that forcefully installs malicious extensions on endpoints. This campaign has been active since 2021 and has affected at least 300,000 users across Google Chrome and Microsoft Edge.

Web browser extensions, once a niche software category, have evolved into a significant sub-economy within the Internet industry. These extensions enhance user experience by adding functionalities to browsers like Chrome and Edge. However, with their popularity, they have also become prime targets for malicious actors who exploit this attack vector to deliver malware and steal sensitive data.

The identified malware campaign is polymorphic, meaning it can change its appearance to evade detection. It forcefully installs malicious extensions on users’ browsers, ranging from adware that hijacks search results to sophisticated scripts that steal private data and execute various commands.

Attack Flow and Techniques

1. Imitation Download Sites: Advertisers created fake download sites mimicking popular programs like Roblox FPS Unlocker, YouTube, VLC, or KeePass. These sites trick users into downloading executables that do not install the intended software but instead deploy trojans.
2. Scheduled Tasks: Once downloaded, the malware registers scheduled tasks under pseudonyms resembling PowerShell script names. These tasks run PowerShell scripts that download and execute payloads from remote servers.
3. Persistent Infection: The malware ensures persistence by creating folders in the system32 directory and adding registry values to force the installation of malicious extensions. These extensions hijack search queries, redirecting them through the attacker’s search engine and making them undetectable even with Developer Mode enabled.
4. Extension Control: The malicious extensions are forcefully installed via registry keys, making them impossible to disable through regular browser settings. They also tamper with browser shortcuts to load local extensions that further steal data and communicate with Command and Control (C2) servers.

At the time of writing, most antivirus engines do not detect the installer or the malicious extensions. Users have reported these extensions as viruses that reappear even after removal attempts.

The ReasonLabs Research Team has alerted Google and Microsoft about the issue, and they are taking appropriate measures. In the meantime, users are advised to be cautious about downloading software from unknown websites and to keep their antivirus software up to date.

Related Posts:

• New Chrome and Firefox malicious extensions prevent user removal to hijack browsers
• Malicious Chrome Extension Infects Over 100,000 Users
• Google prohibit the installation of Chrome extensions from third-party websites
• Google will ban all cryptocurrency mining extensions in the Chrome Store