Threat Research

A Large Scale Trojan Campaign

Securonix
A Large Scale Trojan Campaign

ReasonLabs identified a long-running polymorphic trojan campaign that force-installs malicious Chrome and Edge extensions by using fake installer sites, scheduled PowerShell tasks, registry policies, shortcut tampering, and DLL patching to hijack searches and persist. Over 300,000 users were impacted across Chrome and Edge with extensions such as Custom Search Bar, Micro Search, yglSearch, and Simple New Tab, while indicators include domains like wincloudservice[.]com and securedatacorner[.]com and signer Tommy Tech LTD. #CustomSearchBar #wincloudservice

Keypoints

  • A trojan distributed via lookalike download sites installs scheduled tasks that run PowerShell scripts from System32 to fetch and execute additional stages.
  • The PowerShell scripts add HKLM policies (ExtensionInstallForcelist) to force-install Chrome and Edge extensions that steal/search-redirect and cannot be disabled by users.
  • Malware tampers with browser .lnk startup arguments (–load-extension, disable OutdatedBuildDetector) and may disable browser update services to maintain persistence.
  • Third-stage scripts patch browser DLLs (e.g., msedge.dll) to replace default search endpoints with adversary-controlled domains, causing chained redirects through malicious search sites.
  • Local obfuscated extensions dropped to folders like C:WindowsInternalKernelGrid run background scripts (bg.js, bg_fallback.js, rc.js) to intercept requests, exfiltrate data, update rules, and hide from chrome://extensions.
  • Many extensions in official stores (Custom Search Bar, Micro Search, yglSearch, Simple New Tab) and related domains were used; detection by AV was poor at time of writing.
  • Removal requires deleting malicious scheduled tasks, removing ExtensionInstallForcelist registry entries, and deleting dropped folders/scripts (or using updated endpoint protection).

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – PowerShell scripts downloaded and executed from C2 to perform installation and further stages (“…the PowerShell script downloads a payload from a remote server and executes it on the machine.”)
  • [T1053 ] Scheduled Task/Job – Malware registers scheduled tasks (e.g., NvOptimizerTaskUpdater_V2) to run persistence PowerShell scripts (“SCHTASKS /Create /TN ‘NvOptimizerTaskUpdater_V2’ /SC HOURLY … powershell -File C:/Windows/System32/NvWinSearchOptimizer.ps1”).
  • [T1112 ] Modify Registry – Adds policies under HKLMSOFTWAREPoliciesGoogleChromeExtensionInstallForcelist and HKLMSOFTWAREPoliciesMicrosoftEdgeExtensionInstallForcelist to force-install extensions (“Adds registry values to force the installation of extensions from the store … ExtensionInstallForcelist”).
  • [T1090 ] Proxy or VPN – Hijacks and redirects search queries through adversary-controlled search infrastructure (e.g., customsearchbar[.]me) to intercept and redirect user searches (“The extension steals search queries and redirects them through the adversary’s search.”)
  • [T1547 ] Boot or Logon Autostart Execution – Persistence via scheduled tasks and Registry keys that ensure scripts run and reapply forced extensions on restart (“The task… configured to run a PowerShell script… folder is created… where the rest of the files are dropped.”).
  • [T1105 ] Ingress Tool Transfer – Downloading of additional stages and extension files from C2 domains (e.g., wincloudservice[.]com/apps/$uid and securedatacorner[.]com) to local paths like C:WindowsInternalKernelGrid (“downloads all of the files from the C2. It saves the files at a path… ‘C:WindowsInternalKernelGrid’”).
  • [T1609 ] Container Injection / T1574.001 ] Hijack Execution Flow: DLL modification – Third-stage script edits browser DLLs (msedge.dll) to change embedded search endpoints and hijack search behavior (“locate the DLLs of the browsers… and to change specific bytes … to hijack the default search”).
  • [T1036 ] Masquerading – Installer executables and folders use legitimate-looking names and signer Tommy Tech LTD to appear benign (“The installer is signed by Tommy Tech LTD… imitators of download websites”).
  • [T1566 ] Phishing (Drive-by Compromise) – Use of lookalike download websites (Roblox FPS Unlocker, YouTube, VLC, KeePass) to trick users into running malicious installers (“Advertisers implemented imitations of download sites… to deliver trojans”).

Indicators of Compromise

  • [Domain ] C2 and distribution domains – wincloudservice[.]com, securedatacorner[.]com (used for /apps/$uid and downloading stages)
  • [Domain ] Search and redirect domains – customsearchbar[.]me, microsearch[.]me, msf-console[.]com (used by extensions and DLL patches to redirect searches)
  • [File Path ] Dropped local extension files/folders – C:WindowsInternalKernelGrid (contains bg.js, config.js, manifest.json) and C:WindowsNvOptimizerLog (malware working folder)
  • [Registry ] Forced extension policy keys – HKLMSOFTWAREPoliciesGoogleChromeExtensionInstallForcelist, HKLMSOFTWAREPoliciesMicrosoftEdgeExtensionInstallForcelist (contains extension IDs to force-install)
  • [Scheduled Task ] Persistence task example – NvOptimizerTaskUpdater_V2 (runs PowerShell: C:/Windows/System32/NvWinSearchOptimizer.ps1)
  • [Extension IDs ] Malicious store extensions – nniikbbaboifhfjjkjekiamnfpkdieng (Custom Search Bar), nlmpchkfhgoclkajbifladignhbanjdk (yglSearch), fodkmcnpjapcffbmhelopfjhlmdmnbll (Simple New Tab)
  • [File Hashes ] Example extension/script hashes – analytics.js: 52f2f69805f9790502eb36d641575d521c4606a2, bg.js: da037a7d75e88e4731afe6f3f4e9c36f90bf1854 (and many more hashes listed, including config.js variants)

Read more: https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint