top of page
Writer's pictureJohn Jordan

Massive Malware Campaign Targets 300,000 Users with Rogue Chrome and Edge Extensions

A new malware campaign has compromised 300,000 users by installing rogue extensions on Google Chrome and Microsoft Edge browsers. The malware, distributed via fake websites, hijacks search queries and steals private data.

Microsoft Edge | Google Chrome | BetterWorld Technology

Key Takeaways

  • Malware Distribution: The malware is spread through fake websites mimicking popular software.

  • Extensions Installed: Rogue extensions are installed on Chrome and Edge browsers.

  • Search Hijacking: The malware hijacks search queries and redirects them through attacker-controlled servers.

  • Data Theft: The extensions steal private data and execute various commands.

  • Persistent Threat: The malware has been active since 2021.

Malware Distribution via Fake Websites

The malware campaign uses malvertising to promote lookalike websites that mimic popular software such as Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass. Users searching for these programs are tricked into downloading a trojan, which serves as a conduit for installing the rogue browser extensions.

Installation and Execution

The malicious installers are digitally signed and register a scheduled task to execute a PowerShell script. This script downloads and executes the next-stage payload from a remote server. The process includes modifying the Windows Registry to force the installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons.

Extension Capabilities

The rogue extensions come with extensive capabilities:

  • Intercepting Web Requests: The extensions can intercept all web requests and send them to a command-and-control (C2) server.

  • Receiving Commands: They can receive commands and encrypted scripts from the C2 server.

  • Injecting Scripts: The extensions can inject and load scripts into all web pages.

  • Hijacking Search Queries: They hijack search queries from Ask.com, Bing, and Google, funneling them through attacker-controlled servers.

Persistent and Evolving Threat

The malware has been active since 2021 and continues to evolve. Newer versions of the script remove browser updates, making it difficult for users to disable the extensions, even with Developer Mode enabled. The campaign's broad impact highlights the persistent and evolving nature of this threat.

Previous Similar Campaigns

This is not the first time such campaigns have been observed. In December 2023, a similar Trojan installer was delivered through torrents, installing malicious web extensions masquerading as VPN apps designed to run a "cashback activity hack."

The ongoing nature of these campaigns underscores the importance of vigilance and robust cybersecurity measures to protect against such threats. In today's digital age, robust cybersecurity measures are more important than ever. At BetterWorld Technology, our team of cybersecurity experts is committed to safeguarding your business from evolving threats. We offer comprehensive solutions tailored to protect your data and infrastructure. Whether you need proactive monitoring, threat assessment, or incident response, BetterWorld Technology has the expertise to keep your business secure. Contact us today to learn how our cutting-edge cybersecurity services can fortify your defenses. Enhance your cybersecurity posture and ensure peace of mind with BetterWorld Technology.

Sources

31 views
bottom of page