Malicious Chrome Extension Steals ‘All Posted Data’ without Login Credentials

The trend of spreading adware, banking Trojans and malicious malware through compromised or fake browser extensions seems to be increasing. Lately, there have been quite a few incidents where malicious extensions were used to spread malware. Cybercriminals are not leaving any stone unturned into hijacking add-ons from popular browsers such as Google Chrome to fulfill their nasty objectives.

According to Morphus Labs’ chief officer Renato Marinho, another Google Chrome extension has been hijacked and being distributed to unsuspecting users via phishing emails. The malware can obtain all the information that is posted online by the user without going through extensive procedures.

This means, there is no need to click on an infected link, get login credentials or download apps and files to get the system compromised, which shows that hackers are constantly improvising their attack tactics. That’s why the malware has been named as Catch-All malware.

A phishing email containing links to pictures from a weekend event having a subject line in the Portuguese language serves as the infection vector of this campaign. The message reads:

“Segue as (Fotos Final de Semana) Enviadas via WhatsApp (30244)…. See the (Weekend Photos) Sent via WhatsApp (30244).”

This email seems to be sent through popular messaging application WhatsApp. The photo link contains malware dropper file titled as “whatsapp.exe, which if executed displays a fake Adobe PDF Reader install screen but downloads and unzips other files titled md0 and md1 after which the “md18102136.cab” file is executed. This file is 9.5 Mb zip-compressed and required uncompressing. When it is uncompressed, two large files of around 200 MB are released.

Catch-All Malware Steals All Posted Data without Using Malicious URLs or Login Credentials

When md0 file is executed, it disables Windows Firewall and kills all the processes of Google Chrome to install the malicious Catch-All extension written in JavaScript. When this is achieved, it extracts the extension and modifies Chrome launcher’s “.Ink” files to load it when the next time it is executed. All the data posted by the victim on any website is hijacked by the extension and sent to a C&C server through jQuery and Ajax connections.

The malware inserts the following content on the Google Chrome link file:

“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-extensions-file-access-check –always-authorize-plugins –disable-improved-download-protection –load-extension=”C:\Users\<USER>\AppData\Local\complemento\E1EDEAE8EFE3E0EEE0DC2610495.” Apart from loading the extension, it also disables key security features on the device to evade detection so that the infected extension is allowed to perform its functions easily.

According to Marinho, this campaign seems to be restricted to Portuguese speaking countries including Brazil currently, because not only the message is written in Portuguese but some of the features such as directory names found in compromised computers hints that the malware attacks started in Brazil.

Marinho also noted that this is an ongoing campaign that is bound to claim more victims. He further stated that browser security measures such as TLS or SSL cannot protect victims because the extension catches the data in clear text format from within the browser before sending it via an HTTPS connection.

Source: SANS

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.