Malware News Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/

An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browser's executables to hijack homepages and steal browsing history.

The installer and extensions, which are usually undetected by antivirus tools, are designed to steal data and execute commands on infected devices.

The campaign was discovered by researchers at ReasonLabs who warn that the threat actors behind it employ diverse malvertising themes to achieve initial infection.

ReasonLabs says the infection starts with the victims downloading software installers from fake sites promoted by malvertising in Google search results.

This malware campaign uses baits such as a Roblox FPS Unlocker, TikTok Video Downloader, YouTube downloader, VLC video player, Dolphin Emulator, and KeePass password manager.

The downloaded installers are digitally signed by 'Tommy Tech LTD' and successfully evade detection by all AV engines on VirusTotal at the time of its analysis by ReasonLabs.

Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs

An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browser's executables to hijack homepages and steal browsing history.

www.bleepingcomputer.com

 

[oldschool]

I hate to call these victims idiots, but users should download apps only from trusted sources.

 

[Divine_Barakah]

I hate to call these victims idiots, but users should download apps only from trusted sources.

I found a great way to install software without heading to each app's website. I created a Softpedia account and added the apps I am using to my Watchlist. Whenever an app receives an update, I get notified via email. I head to Softpedia which gives direct links to download the apps from their official sources.

An example of Softpedia email notifications

Hello,

This is a quick message to let you know that "Internet Download Manager
(IDM)" has been updated on our website to version "6.42 Build 19".

A link to the program's page is included below for your convenience:
https://www.softpedia.com/get/Internet/Download-Managers/Internet-Download-Manager.shtml

--
Sincerely,
The Softpedia Team

http://www.softpedia.com/

Note: You are receiving this update notification because this
application is part of your Softpedia account's watchlist and the email
notifications option is enabled.

If you do not wish to receive emails for this program, please log on to
your Softpedia account and remove the corresponding subscription from
your watchlist.

Alternatively, you can stop receiving emails of this type by unchecking
the "Update notifications via email" option. You will still be able to
get updates through your personal RSS feed you can find in the same area
of the account.

 

[ForgottenSeer 114834]

I found a great way to install software without heading to each app's website. I created a Softpedia account and added the apps I am using to my Watchlist. Whenever an app receives an update, I get notified via email. I head to Softpedia which gives direct links to download the apps from their official sources.

An example of Softpedia email notifications

This method carries risks. To ensure safety and reliability, download exclusively from official channels. Avoid third-party applications/websites.

 

[Divine_Barakah]

This method carries risks. To ensure safety and reliability, download exclusively from official channels. Avoid third-party applications/websites.

The links in Softpedia are direct links to official websites. I never had any issues and I am very careful. I check the digital signatures and upload each installer to VT.

 

[ForgottenSeer 114834]

The links in Softpedia are direct links to official websites. I never had any issues and I am very careful. I check the digital signatures and upload each installer to VT.

To empower forum readers to achieve the best possible outcomes...

Third-Party Sites Like Softpedia Can Be Compromised.

Here's how it can happen:

Malware Injection: Hackers can infiltrate the site and replace legitimate software downloads with malicious ones.

Supply Chain Attacks: The software developers themselves might be compromised, leading to tainted downloads even on reputable platforms.

Compromised Advertisements: Malicious ads can redirect users to harmful websites or download malware.

Data Breach: If the site's database is breached, user information could be stolen, potentially leading to targeted attacks.

How to Protect Yourself:

Verify Software Sources: Always download software directly from trusted developers or official websites.

 

[Azure]

To empower forum readers to achieve the best possible outcomes...

Third-Party Sites Like Softpedia Can Be Compromised.

Here's how it can happen:

Malware Injection: Hackers can infiltrate the site and replace legitimate software downloads with malicious ones.

Supply Chain Attacks: The software developers themselves might be compromised, leading to tainted downloads even on reputable platforms.

Compromised Advertisements: Malicious ads can redirect users to harmful websites or download malware.

Data Breach: If the site's database is breached, user information could be stolen, potentially leading to targeted attacks.

How to Protect Yourself:

Verify Software Sources: Always download software directly from trusted developers or official websites.

What if the official website links to a 3rd party download site?

 

[Sandbox Breaker]

What if the official website links to a 3rd party download site?

They should have a hash table. Also check the certificate chain in the file.

 

[wat0114]

A strict browser extension policy will block any unauthorized attempts to install additional extensions of any kind:



In this case the browser itself has a policy enforced to restrict what it can do.

 

[ForgottenSeer 114834]

What if the official website links to a 3rd party download site?

If the official website redirects you to a third-party site download:

Verify the Third-Party Site: Check if the third-party site is well-known and reputable. Look for reviews or feedback from other users about the site.

Check for Official Endorsements: Sometimes, official websites partner with trusted third parties for distribution. Look for any endorsements or partnerships mentioned on the official site.

Look for Digital Signatures: When you download the software, check if the file is digitally signed by the publisher. This can often be verified through the file properties on your computer.

Use Antivirus Software: Ensure your antivirus software is up-to-date and scan the downloaded file before opening it.

Seek Alternatives: If you're uncomfortable with the third-party site, try to find an alternative official source or contact the software provider directly for guidance.

 

[monkeylove]

One problem is that several malware now find themselves in trusted apps and even sites. Some companies don't even know that their computers are infected until much later.

 

[HarborFront]

Even download from official site carries a risk.

Remember the CCleaner incident whereby the server was breached resulting in rouge download.

 

[Studynxx]

I found a great way to install software without heading to each app's website. I created a Softpedia account and added the apps I am using to my Watchlist. Whenever an app receives an update, I get notified via email. I head to Softpedia which gives direct links to download the apps from their official sources.

An example of Softpedia email notifications

You should just use a Winget script to be honest.

 

[Trident]

You should just use a Winget script to be honest.

It’s not about the source and way only, Malware not once or twice has made its way to all stores, including the rigorously-checking Apple App Store.

Users should just lose the habit of downloading everything they see. Working with a small set of trusted apps is essential for security.

For example, look at the malicious apps on Android Play Store, identified by BD.

Real-Time Behavior-Based Detection on Android Reveals Dozens of Malicious Apps on Google Play Store

Note: all applications mentioned in this research have been taken down and are no longer accessible.

www.bitdefender.co.uk

Spoiler: Apps

Developer Name	Email	Website
Qasim.Llc	Steelrbasic@gmail.com	https://personalitycharginshow[.]xyz
ALCANTARA.Lab	TipAprilb@gmail.com	https://smartqrscanner1[.]xyz
Baig.Corp	Ississppifinest2@gmail.com	https://animatesstickermaster[.]xyz
Hamid.Apps	jemarchag@gmail.com	https://gps1ocationfinder[.]xyz
Emmanuel.Llc	Quintonjxus@gmail.com	https://mygps123123[.]xyz
Jamie.Lab	jjamiemunoz417@gmail.com	https://artgirlswallpaperhd[.]xyz
Bennington.Llc	kkarlbennington@gmail.com	https://catsimulator1[.]xyz
Josh.Lnc	huhua.luc@gmail.com	http://smartwifii123[.]xyz
Vern.Apps	Vernl3138@gmail.com	https://imagewarpcamera[.]xyz
VILORIA.Corp	Jamelpmac@gmail.com	https://smartqrcreator1[.]xyz
Abid.Studio	ita.mita594@gmail.com	https://colorizeoldphoto[.]xyz
Adeel.Studio	ikvznj@gmail.com	https://smartaps1ocation[.]xyz
Haq.Corp	Wycliffedennis07@gmail.com	https://secrethoroscope1[.]xyz
Nadeem.Apps	KnowMonty@gmail.com	https://volumecontroll[.]xyz
Cedrick.Corp	Cedrickoayz@gmail.com	https://gps1ocationmaps[.]xyz
RICHARD.Lnc	Flossiezxe@gmail.com	https://girlsartwallpaper[.]xyz
Sushil.Dev	tacie.bush@gmail.com	https://mediavolumeslider[.]xyz
Haider.Studio	Eduardoaunx@gmail.com	https://sleepsoundss[.]xyz
Kumar.Apps	Randytzjp@gmail.com	https://qrcreatorr12[.]xyz
Waseem.Llc	MarquisDunlap35@gmail.com	https://secretastrology[.]xyz/
Butt.Corp	eterbrellocvx@gmail.com	https://colorizephotos[.]xyz/
Vledern Studio	deernivle67@gmail.com	-

I am not sure why anyone would need personality charging show, media volume slider or car simulator.

Browsers nowadays have become massive collection of tools, not sure what’s there to “extend”.