silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
The Razy Trojan is targeting legitimate browser extensions and is spoofing search results in the quest to raid cryptocurrency wallets and steal virtual coins from victims.
According to new research published by Kaspersky Lab, the malware, known as Razy, is a Trojan which uses some of the more unusual techniques on record when infecting systems.
Detected by the cybersecurity firm as Trojan.Win32.Razy.gen, Razy is an executable file which spreads through malvertising on websites and is also packaged up and distributed on file hosting services while masquerading as legitimate software.
The main thrust of the malware is its capability to steal cryptocurrency. Razy focuses on compromising browsers, including Google Chrome, Mozilla Firefox, and Yandex. Different infection vectors are in place depending on the type of browser found on an infected system.
Razy is able to install malicious browser extensions, which is nothing new. However, the Trojan is also able to infect already-installed, legitimate extensions, by disabling integrity checks for extensions and automatic updates for browsers.
In the case of Google Chrome, Razy edits the chrome.dll file to disable extension integrity checks and then renames this file to break the standard pathway. Registry keys are then created to disable browser updates.
"We have encountered cases where different Chrome extensions were infected," the researchers say. "One extension, in particular, is worth mentioning: Chrome Media Router is a component of the service with the same name in browsers based on Chromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions."
In order to compromise Firefox, a malicious extension called "Firefox Protection" is installed. When it comes to Yandex, the Trojan will also disable integrity checks, rename the browser.dll file, and create registry keys to prevent browser updates. A malicious extension called Yandex Protect is then downloaded and installed.
Most of the malware's functions are served through a single .js script which permits the malware to search for cryptocurrency wallet addresses, replace these addresses with others controlled by threat actors, spoof both images and QR codes which point to wallets, as well as modify the web pages of cryptocurrency exchanges.