Introduction
A widespread malware campaign has been actively installing rogue extensions for Google Chrome and Microsoft Edge through a trojan distributed via counterfeit websites. These fake websites pose as legitimate sources for popular software, tricking users into downloading malicious content. This article delves into the mechanics of the campaign, the impact it has had on users, and recommended measures for mitigating the threat.
The Trojan Malware and Its Impact
The trojan malware, in operation since 2021, is primarily distributed through imitation download websites that offer add-ons for online games, videos, and other popular software. The malware has a broad reach, affecting over 300,000 users of Google Chrome and Microsoft Edge. The malware’s payloads range from simple adware that hijacks search queries to more sophisticated scripts that install browser extensions capable of stealing private data and executing various commands.
Malvertising and Distribution Tactics
At the core of this campaign is the use of malvertising—advertisements that promote lookalike websites. These websites mimic well-known software platforms such as Roblox FPS Unlocker, YouTube, VLC Media Player, Steam, and KeePass. Users searching for these programs are duped into downloading a trojan that serves as a conduit for installing malicious browser extensions.
Technical Execution and Persistence
The malware’s digitally signed installers register a scheduled task on the victim’s system. This task is configured to execute a PowerShell script that downloads and runs the next-stage payload from a remote server. The malware modifies the Windows Registry to force the installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons. These extensions hijack search queries on Google and Bing, redirecting them through attacker-controlled servers.
Malicious Extensions and Their Capabilities
The rogue extensions, which cannot be disabled by the user—even with Developer Mode enabled—are particularly concerning. Newer versions of the script associated with the malware even prevent browser updates. The extensions have extensive capabilities, including intercepting all web requests, receiving commands and encrypted scripts, and injecting scripts into all pages. They also hijack search queries from Ask.com, Bing, and Google, funneling them through malicious servers before redirecting them to other search engines.
Recommendations for Affected Users
Users affected by this malware attack are strongly advised to take immediate action to mitigate the threat. Key steps include deleting the scheduled task that reactivates the malware daily, removing the associated Registry keys, and deleting specific files and folders from the system, including but not limited to:
- C:\Windows\system32\Privacyblockerwindows.ps1
- C:\Windows\system32\Windowsupdater1.ps1
- C:\Windows\system32\Optimizerwindows.ps1
- C:\Windows\InternalKernelGrid
- C:\Windows\NvOptimizerLog
Conclusion
This malware campaign is not an isolated incident; similar campaigns have been observed in the past, such as one in December 2023, where a trojan installer was distributed through torrents, masquerading as VPN apps. The persistence and evolving nature of these threats highlight the importance of vigilance and proactive cybersecurity measures. Users are encouraged to be cautious when downloading software from the internet and to regularly update their security protocols to protect against such attacks.
0 Comments