Categories: MalwareWhat is

Google Chrome Extension that Steals all Data Posted by Users on any Websites

Chrome Extensions continue to get compromised, security officer Renato Marinho from Morphus Labs identified a malicious Chrome extension that captures data posted by users online on any website.

They noticed a phishing campaign titled “Follow the photos from the weekend (via WhatsApp)” which infects users by opening an email with alleged photos.

How it affects Victims Via Chrome Extensions

When users open the phishing Email that contains alleged photos, a malicious EXE file named whatsapp.exe will be executed.

Once the malicious file executed it installs victim’s malicious extension into Google Chrome.In order to Disguise it shows a fake Adobe PDF Reader installation while downloading it’s required components.

Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.Says Renato.

Also Read Seven More Extensions compromised to hijack traffic and substitute advertisements on users browsers

Data Theft

Once the extension installed it will monitor all the data that user posted on the website and sent to attackers, it includes login credentials, credit card details and other sensitive data.

The attacker was not required, for example, to lure the victim to a fake website with typical digital certificate errors or to intercept connections in complex ways. On the contrary, the user will be interacting normally with the legitimate website while their data is stolen. Says Renato.

Here the attacker not diverting victims to fake sites, instead the data is captured while establishing the connection with the legitimate site.

Indicators of Compromise (IOCs)

Files

MD5 (md0) = 72c35311136adaaf2c31d54b7d2c462e
MD5 (md1) = bbca1ced8eea1a63e4e05a7f7e368b69
MD5 (whatsapp.exe) = 713fed252238d2cbd48a18b3faa67a8e

Extension Files

MD5 (btwjvx.js) = 229495556791239ecf88e883124284b7
MD5 (ico.png) = 42ab831ae1520621f4117d3639b1131d
MD5 (java_128.ico) = a5c5f16f314bb022edcdb084850f0d63
MD5 (java_32.ico) = d7a6c3c105a0ab5dc39bdf5005f044b4
MD5 (java_64.ico) = 748e901736d11413f8856f9db82e7328
MD5 (manifest.json) = 214859fb1903fefb8c0142273953b4dc
MD5 (unjjmwv.js) = 5ca7582261c421482436dfdf3af9bffe

Network

hxxps://storage.googleapis.com/webfotosb/Whatsapp.html
hxxp://177.11.55.90/md18102136.cab
hxxps://agenziapetra.com:1515/

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago