A new global polymorphic malware campaign has been discovered, which forcefully installs extensions on endpoints.
The malware and extensions, which are spreading widely, have impacted 300,000 users of Microsoft Edge and Google Chrome.
The trojan malware comes with a variety of deliverables, from straightforward adware extensions that take over searches to more complex malicious scripts that deliver local extensions to steal personal information and carry out various commands.
Since its development in 2021, the malware has originated from imitation websites that provide downloads and add-ons for online games and videos.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Understanding The Attack Flow
Advertisers used imitates of popular download websites, such as YouTube, VLC, Roblox FPS Unlocker, or KeePass, to spread trojans that install dangerous extensions.
Users download executables from fraudulent websites without even trying to install the desired program. Certain more recent versions are installed using an API to retrieve the original program from a Google storage link.
“Once a user downloads the program from the lookalike website, the program registers a scheduled task using a pseudonym that follows the pattern of a PowerShell script file name, like Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, and NvOptimizerTaskUpdater_V2”, ReasonLabs researchers.
Further, it is set up to execute a PowerShell script called “- File C:/Windows/System32/NvWinSearchOptimizer.ps1” that has a similar name.
The PowerShell script installs a payload on the computer by downloading it from a remote server. Particularly, the PowerShell script is written to the system32 folder.
Functions Of The PowerShell Script
The scripts reach the C2 to access:
- A Chrome and Edge extension malware that hijacks search.
- A local extension that uses the C2 to download every file. It stores the files in a directory that it further obtains from the C2 as a parameter.
To add necessary extension registry paths to the registry located under HKLM\SOFTWARE\Policies, addRegKeys is used. The malware verifies that the “ExtensionInstallForceList” is present in Edge and Chrome.
After the malware contacts its C2 for more installation instructions, addRegVal obtains parameter information from Stage 3.
Researchers said, “The addRegVal function receives instructions on which extensions to force install (based on the response from the C2) and the registry path of the force installation key”.
Examples of some of the new extensions are “yglSearch,” which is still accessible for download and has over 40,000 users, and “Micro Search,” which was available for download up until recently and had over 30,000 users.
“Simple New Tab,” a Microsoft Edge extension with over 100,000 users, is among the most popular. On the Microsoft Edge Add-ons page, the extension is described as “replacing the new tab page with beautiful backgrounds”.
“It is impressive how under the radar this malware is given that it has been operating for years without even changing its C2 domains, probably because it hasn’t needed to. By counting the number of users on each extension related to the campaigns, over 200,000 users have been affected by the malware”, reads the report.
Hence, verifying the elimination of the malware’s persistence mechanisms is the only way to totally eliminate it completely. To accomplish this, it is necessary to delete the daily scheduled task that reactivates the malware and remove a few registry keys.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
