Friday, January 24, 2025
HomeMalwareGoogle Chrome Extension that Steals all Data Posted by Users on any...

Google Chrome Extension that Steals all Data Posted by Users on any Websites

Published on

SIEM as a Service

Follow Us on Google News

Chrome Extensions continue to get compromised, security officer Renato Marinho from Morphus Labs identified a malicious Chrome extension that captures data posted by users online on any website.

They noticed a phishing campaign titled “Follow the photos from the weekend (via WhatsApp)” which infects users by opening an email with alleged photos.

How it affects Victims Via Chrome Extensions

When users open the phishing Email that contains alleged photos, a malicious EXE file named whatsapp.exe will be executed.

Once the malicious file executed it installs victim’s malicious extension into Google Chrome.In order to Disguise it shows a fake Adobe PDF Reader installation while downloading it’s required components.

Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.Says Renato.

Also Read Seven More Extensions compromised to hijack traffic and substitute advertisements on users browsers

Data Theft

Once the extension installed it will monitor all the data that user posted on the website and sent to attackers, it includes login credentials, credit card details and other sensitive data.

The attacker was not required, for example, to lure the victim to a fake website with typical digital certificate errors or to intercept connections in complex ways. On the contrary, the user will be interacting normally with the legitimate website while their data is stolen. Says Renato.

Here the attacker not diverting victims to fake sites, instead the data is captured while establishing the connection with the legitimate site.

Indicators of Compromise (IOCs)

Files

MD5 (md0) = 72c35311136adaaf2c31d54b7d2c462e
MD5 (md1) = bbca1ced8eea1a63e4e05a7f7e368b69
MD5 (whatsapp.exe) = 713fed252238d2cbd48a18b3faa67a8e

Extension Files

MD5 (btwjvx.js) = 229495556791239ecf88e883124284b7
MD5 (ico.png) = 42ab831ae1520621f4117d3639b1131d
MD5 (java_128.ico) = a5c5f16f314bb022edcdb084850f0d63
MD5 (java_32.ico) = d7a6c3c105a0ab5dc39bdf5005f044b4
MD5 (java_64.ico) = 748e901736d11413f8856f9db82e7328
MD5 (manifest.json) = 214859fb1903fefb8c0142273953b4dc
MD5 (unjjmwv.js) = 5ca7582261c421482436dfdf3af9bffe

Network

hxxps://storage.googleapis.com/webfotosb/Whatsapp.html
hxxp://177.11.55.90/md18102136.cab
hxxps://agenziapetra.com:1515/

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...