This Trojan infects browser extensions, spoofs searches to steal cryptocurrency

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The Razy Trojan is targeting legitimate browser extensions and is spoofing search results in the quest to raid cryptocurrency wallets and steal virtual coins from victims.
According to new research published by Kaspersky Lab, the malware, known as Razy, is a Trojan which uses some of the more unusual techniques on record when infecting systems.

Detected by the cybersecurity firm as Trojan.Win32.Razy.gen, Razy is an executable file which spreads through malvertising on websites and is also packaged up and distributed on file hosting services while masquerading as legitimate software.

The main thrust of the malware is its capability to steal cryptocurrency. Razy focuses on compromising browsers, including Google Chrome, Mozilla Firefox, and Yandex. Different infection vectors are in place depending on the type of browser found on an infected system.

Razy is able to install malicious browser extensions, which is nothing new. However, the Trojan is also able to infect already-installed, legitimate extensions, by disabling integrity checks for extensions and automatic updates for browsers.

In the case of Google Chrome, Razy edits the chrome.dll file to disable extension integrity checks and then renames this file to break the standard pathway. Registry keys are then created to disable browser updates.

"We have encountered cases where different Chrome extensions were infected," the researchers say. "One extension, in particular, is worth mentioning: Chrome Media Router is a component of the service with the same name in browsers based on Chromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions."

In order to compromise Firefox, a malicious extension called "Firefox Protection" is installed. When it comes to Yandex, the Trojan will also disable integrity checks, rename the browser.dll file, and create registry keys to prevent browser updates. A malicious extension called Yandex Protect is then downloaded and installed.

Most of the malware's functions are served through a single .js script which permits the malware to search for cryptocurrency wallet addresses, replace these addresses with others controlled by threat actors, spoof both images and QR codes which point to wallets, as well as modify the web pages of cryptocurrency exchanges.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top