Researchers have unearthed a widespread, multi-year malware campaign that grabs and installs hundreds of malicious Google Chrome and Microsoft Edge add-ons when unsuspecting users are driven to decoy web portals that masquerade abuse of legitimate software downloads. ReasonLabs researchers recently found this disturbing trend and the implications it has for your online security.
 |
| Photo: Deep Dream Generator |
Type of the Threat
The backbone of it all is versatile trojan malware that can carry a wide array of payloads. ReasonLabs claims that its researchers have seen these payloads evolve from simple adware extensions that hijack search functionality to more complex scripts that steal private data and further execute destructive commands on an infected system. This malware campaign has been active since 2021, initially coming from fake download websites that imitated those of famous apps related to online gaming and video streaming.
This has been suspected to be widespread, as it has been seen in a minimum of 300,000 users from both Google Chrome and Microsoft Edge. Such figures cannot be simply overruled as these sorts of deceptions can clearly be alarming if it types.
Modus Operandi: Malvertising and Deceptive Downloads
Central to the operation is a technique called malvertising, where some fake ads are used to push lookalike websites. The most common include the pushing of software known to attract users who want to download things like Roblox FPS Unlocker, YouTube, VLC Media Player, Steam, and KeePass. Unknowingly, users trying to get valid downloads from the doppelganger websites are subsequently routed to the download of the trojan.
The package itself has included malicious installers that are digitally signed and take measures of guaranteeing persistent control over infected systems. Once installed, these trojans create a scheduled task that runs a PowerShell script responsible for downloading additional payloads from remote servers. This two-stage process keeps the malicious code largely undetected but grants the trojan the capability to fetch and execute subsequent malicious commands.
Compromising Browsers and User Data
The malware installed does modifications to the Windows Registry to enforce installing Rogue Browser extensions from the Chrome Web Store and Microsoft Edge Add-ons. This is done to hijack user search queries on major platforms such as Google and Bing, followed by redirecting them through servers under control of the attackers. Interestingly, one can observe the malware nature of these rogue extensions just by the fact that, preventing users from turning them off, even when the Chrome Web Store is used with Developer Mode turned on.
Apart from these functionalities, it also contains a local extension downloaded directly from one of the C2 servers. When it becomes active, this extension can hijack all web requests, thus enabling the attackers to do much more than just sending commands or receiving encrypted scripts; it is also possible to inject and load additional scripts into all webpages, which is highly hazardous because there might be unauthorized monitoring of the user's activity or, probably, the theft of sensitive information.
Broadening the Range of Victims
This implication of the campaign does not end with a singular user, but it extends to the institutional context, for which an infected browser could translate to more significant cybersecurity challenges. The particularity of the malware attack to manipulate search results and seek redirect opens more significant space for phishing attacks as the user can be unknowingly directed to malicious websites to avail personal information or indirectly load malware.
Indeed, this is not the first case of such campaigns; a similar Trojan installer was reported as part of the delivery chain with torrents seen in December 2023. That earlier campaign installed malicious web extensions that posed as a VPN application, but it was ultimately used to carry out a "cashback activity hack," perfectly representing how the bad actors constantly change tactics.
Conclusion
This massive campaign of malware goes on to remind us about the perils lying within our increasingly digital lives. One has to be very cautious while downloading software and exploring the Internet because cybercriminal strategies never stop developing and growing complicated. For this reason, it is something cybersecurity experts already demand of any person or organization: having effective security measures, like the periodic modification of the configurations in browsers, having trusted antivirus, and knowing the methodology that threats use.
Understanding the nature of these malware campaigns is vital in preparing for valid defense mechanisms. As threats in cyberspace are growing in their pervasiveness, getting forewarned and proactive might just be the means of securing in general, safe browsing experiences for personal data. The ongoing efforts of cybersecurity researchers and organizations will be of paramount importance in this respect, for combating these malevolent threats and, sometimes, offering actionable insights into valid preventive strategies.