Threat Research

Extension Trojan Malware Campaign | ReasonLabs

Cyware

ReasonLabs details a widespread polymorphic campaign that forcefully installs browser extensions via fake download sites, affecting hundreds of thousands of Chrome and Edge users. The attack chain uses PowerShell-based persistence, registry and shortcut hijacking to steal searches and data, while many AV engines fail to detect the installer or extensions. #ReasonLabs #Chrome #Edge #PowerShell #NvOptimizer #CustomSearchBar

Keypoints

  • Malicious extensions are installed via trojans originating from imitation download sites, affecting hundreds of thousands of users.
  • The malware uses PowerShell scripts to create scheduled tasks for persistence and to modify browser settings to hijack searches.
  • Most antivirus engines fail to detect the installer and the extensions, leaving users unaware of the threat.
  • The campaign modifies registry keys to force installation of extensions in Chrome and Edge and tampers with shortcuts to load local extensions.
  • The attackers communicate with a C2 to download stages and to receive parameters for file locations, extensions to install, and commands.
  • The local extension and DLL modifications hijack search engines and redirect queries through adversary-controlled sites.
  • ReasonLabs provides removal steps, defense recommendations, and multiple IOCs to help defend against this threat.

MITRE Techniques

  • [T1189] Drive-by Compromise – Adversaries use imitation download sites to deliver trojans. “Advertisers implemented imitations of download sites like Roblox FPS Unlocker, YouTube, VLC, or KeePass to deliver trojans”…
  • [T1059.001] PowerShell – Execution via PowerShell scripts to fetch and run payloads. “The PowerShell script downloads a payload from a remote server and executes it on the machine. It is important to note that the PowerShell script is written to the system32 folder.”…
  • [T1053.005] Scheduled Task – Persistence by creating recurring tasks with PowerShell-driven payloads. “registers a scheduled task using a pseudonym that follows the pattern of a PowerShell script file name, like Updater_PrivacyBlocker_PR1…”
  • [T1112] Modify Registry – Forcing extension installation via registry keys. “Adds registry values to force the installation of extensions from the store (HKLM:…ExtensionInstallForcelist)…”
  • [T1574.001] Hijack Execution Flow – Tampering with browser shortcuts to load a local extension. “Tampers with browser “.lnk” files to load a local extension that it drops…”
  • [T1071.001] Web Protocols – C2 communication over HTTP to download stages and report status. “Communicate with CnC to report on the status and get the next stages to execute…”
  • [T1027] Obfuscated/Compressed Files and Information – Heavy obfuscation of downloaded scripts and extensions. “The local extension files are heavily obfuscated.”

Indicators of Compromise

  • [Domain] wincloudservice.com/apps/$uid – example of C2/domain used by the malware
  • [Domain] securedatacorner.com – C2 domain hosting stage payloads
  • [Domain] customsearchbar.me – used for-browser hijacking extension control
  • [Domain] yoursearchbar.me – related to force-installed extensions
  • [Domain] msf-console.com – used in the campaign’s infrastructure
  • [Domain] msf-edge.com – used in Edge-related components
  • [Extension ID] nlmpchkfhgoclkajbifladignhbanjdk – Chrome extension ID observed in campaigns
  • [Extension ID] nniikbbaboifhfjjkjekiamnfpkdieng – another Chrome extension ID linked to the same actor
  • [File hash] 3c3289569465f6888bb5f5d75995a12a9e8b9b8a, 0cdc202ba17c952076c37c85eece7b678ebaeef9, Bf0eacb1afb00308f87159f67eb3f30d63e0cb62 – example file hashes of components
  • [File] C:WindowsNvOptimizerLog – directory used during installation and staging
  • [Scheduled Task] NvOptimizerTaskUpdater_V2 – task name used to run the PowerShell payload
  • [Registry Key] HKLM:SOFTWAREPoliciesGoogleChromeExtensionInstallForcelist – key used to force-install extensions
  • [Registry Key] HKLM:SOFTWAREPoliciesMicrosoftEdgeExtensionInstallForcelist – another key used for Edge extension force-install

Read more: https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint