Nigelthorm malware targets both Windows and Linux based devices.
Using malware infected Chrome browser extensions for targeting unsuspecting users has been observed to be the preferred attack method within the cybercriminal community nowadays. Recently, HackRead exclusively reported about the presence of malicious AdBlocker extensions used by over 20 million people.
The Facexworm and Digimine malware campaigns discovered in previous months are also a clear proof that for stealing user information, cybercriminals find distributing infected extensions of popular browsers to be a profitable technique — The immense popularity garnered by Google Chrome, which is evident from its over one billion user base, makes it a favorable choice for launching such campaigns.
7 Chrome extensions plagued with malware
According to the analysis of security firm Radware, nearly 7 Chrome extensions are plagued with the malicious zero-day, Nigelthorm malware. These include Nigelify, Fix-case, Divinity 2 Original Sin: Wiki Skill Popup, PwnerLike, Alt-j, keeprivate, and iHabno.
The malicious extensions are available on Google’s official Chrome store as well. The malware is named Nigelthorn for masquerading as the Nigelify extension that changes images with GIFs of Nigel Thorneberry.
Radware researchers identified Nigelify’s replica at one of their customers, which happens to be a global manufacturing firm. It is discovered that the malware has been active since March 2018 and has so far infected over 100,000 users in more than 100 countries. A majority of the targets (approx. 75%) are located in Venezuela, Philippines, and Ecuador while the remaining 25% are spread across 97 countries.
The malware has similar functionality as the Facexworm; when a Facebook user clicks on a URL that has been socially engineered already, they redirected to a fake YouTube page. There, the malicious Chrome extension is available for download.
When it lands on the user’s device, it communicates with the C&C server and downloads the payload to perform a variety of functions such as stealing Facebook credentials. It can also steal Instagram cookies, carry out YouTube fraud and further distribute the malware to other Facebook contacts of the victim.
An important aspect is that Nigelthorn can install crypto-miner scripts to mine cryptocurrency including Monero, Electronuem, and Bytecoin. So far, Radware reports, about $1000 worth crypto coins have been mined.
It is quite difficult to remove the malware from the system; Nigelthorn has the capability to close the extensions tab in case the user tries to remove the extension. It also makes it difficult for the user to use Facebook and Chrome cleanup tools.
Not only Windows but Linux users are also affected by Nigelthorn but the only browser that is currently exploited is Google Chrome. This means those who do not use Chrome will be protected from the malware.
Google was notified about the presence of not one or two but a group of seven malicious Chrome extensions and these have been removed from its official Chrome Store now. But we cannot yet claim for how long the Chrome browser will remain secure and how soon it will be targeted by hackers again.
This year, we have already reported about a number of malicious malware campaigns being launched through exploiting Chrome extensions. This particular campaign can be considered as the worst so far because it can use botnets for performing distributed-denial-of-service attacks (DDoS) for stealing data or initiating spam messages campaign.