Tuesday, October 8, 2024
HomeMalwareGoogle Chrome Extension that Steals all Data Posted by Users on any...

Google Chrome Extension that Steals all Data Posted by Users on any Websites

Published on

Chrome Extensions continue to get compromised, security officer Renato Marinho from Morphus Labs identified a malicious Chrome extension that captures data posted by users online on any website.

They noticed a phishing campaign titled “Follow the photos from the weekend (via WhatsApp)” which infects users by opening an email with alleged photos.

How it affects Victims Via Chrome Extensions

When users open the phishing Email that contains alleged photos, a malicious EXE file named whatsapp.exe will be executed.

Once the malicious file executed it installs victim’s malicious extension into Google Chrome.In order to Disguise it shows a fake Adobe PDF Reader installation while downloading it’s required components.
- Advertisement - EHA

Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.Says Renato.

Also Read Seven More Extensions compromised to hijack traffic and substitute advertisements on users browsers

Data Theft

Once the extension installed it will monitor all the data that user posted on the website and sent to attackers, it includes login credentials, credit card details and other sensitive data.

The attacker was not required, for example, to lure the victim to a fake website with typical digital certificate errors or to intercept connections in complex ways. On the contrary, the user will be interacting normally with the legitimate website while their data is stolen. Says Renato.

Here the attacker not diverting victims to fake sites, instead the data is captured while establishing the connection with the legitimate site.

Indicators of Compromise (IOCs)

Files

MD5 (md0) = 72c35311136adaaf2c31d54b7d2c462e
MD5 (md1) = bbca1ced8eea1a63e4e05a7f7e368b69
MD5 (whatsapp.exe) = 713fed252238d2cbd48a18b3faa67a8e

Extension Files

MD5 (btwjvx.js) = 229495556791239ecf88e883124284b7
MD5 (ico.png) = 42ab831ae1520621f4117d3639b1131d
MD5 (java_128.ico) = a5c5f16f314bb022edcdb084850f0d63
MD5 (java_32.ico) = d7a6c3c105a0ab5dc39bdf5005f044b4
MD5 (java_64.ico) = 748e901736d11413f8856f9db82e7328
MD5 (manifest.json) = 214859fb1903fefb8c0142273953b4dc
MD5 (unjjmwv.js) = 5ca7582261c421482436dfdf3af9bffe

Network

hxxps://storage.googleapis.com/webfotosb/Whatsapp.html
hxxp://177.11.55.90/md18102136.cab
hxxps://agenziapetra.com:1515/

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...