Monday, November 4, 2024
HomeMalwareGoogle Chrome Extension that Steals all Data Posted by Users on any...

Google Chrome Extension that Steals all Data Posted by Users on any Websites

Published on

Malware protection

Chrome Extensions continue to get compromised, security officer Renato Marinho from Morphus Labs identified a malicious Chrome extension that captures data posted by users online on any website.

They noticed a phishing campaign titled “Follow the photos from the weekend (via WhatsApp)” which infects users by opening an email with alleged photos.

How it affects Victims Via Chrome Extensions

When users open the phishing Email that contains alleged photos, a malicious EXE file named whatsapp.exe will be executed.

Once the malicious file executed it installs victim’s malicious extension into Google Chrome.In order to Disguise it shows a fake Adobe PDF Reader installation while downloading it’s required components.
- Advertisement - SIEM as a Service

Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.Says Renato.

Also Read Seven More Extensions compromised to hijack traffic and substitute advertisements on users browsers

Data Theft

Once the extension installed it will monitor all the data that user posted on the website and sent to attackers, it includes login credentials, credit card details and other sensitive data.

The attacker was not required, for example, to lure the victim to a fake website with typical digital certificate errors or to intercept connections in complex ways. On the contrary, the user will be interacting normally with the legitimate website while their data is stolen. Says Renato.

Here the attacker not diverting victims to fake sites, instead the data is captured while establishing the connection with the legitimate site.

Indicators of Compromise (IOCs)

Files

MD5 (md0) = 72c35311136adaaf2c31d54b7d2c462e
MD5 (md1) = bbca1ced8eea1a63e4e05a7f7e368b69
MD5 (whatsapp.exe) = 713fed252238d2cbd48a18b3faa67a8e

Extension Files

MD5 (btwjvx.js) = 229495556791239ecf88e883124284b7
MD5 (ico.png) = 42ab831ae1520621f4117d3639b1131d
MD5 (java_128.ico) = a5c5f16f314bb022edcdb084850f0d63
MD5 (java_32.ico) = d7a6c3c105a0ab5dc39bdf5005f044b4
MD5 (java_64.ico) = 748e901736d11413f8856f9db82e7328
MD5 (manifest.json) = 214859fb1903fefb8c0142273953b4dc
MD5 (unjjmwv.js) = 5ca7582261c421482436dfdf3af9bffe

Network

hxxps://storage.googleapis.com/webfotosb/Whatsapp.html
hxxp://177.11.55.90/md18102136.cab
hxxps://agenziapetra.com:1515/

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...