Saturday, January 18, 2025
HomeCyber AttackBeware of new Malicious Chrome Extension that Delivers Password Stealer Malware

Beware of new Malicious Chrome Extension that Delivers Password Stealer Malware

Published on

SIEM as a Service

Follow Us on Google News

Several malvertising campaigns have been discovered recently by the security experts of Cisco Talos. In these malvertising campaigns, it has been detected that the threat actors have been using the fake installers of popular apps and games like:-

  • WeChat
  • Viber
  • Battlefield
  • NoxPlayer

Hackers have been using these fake installers to trick their victims into downloading a malicious Google Chrome extension with a backdoor. 

All these malware families are in constant development and improvement by their developers. And the malware payloads were attributed by the researchers to an unknown actor with “magnat” alias.

The primary objective of the hacker is to steal sensitive data, credentials and maintain remote access to the compromised system.

Pieces of malware

On the victim’s compromised system, the threat actor executes three pieces of malware by running the fake installers, and here they are mentioned below:-

  • An undocumented malicious browser extension.
  • A password stealer.
  • A “backdoor” for setting up remote access.

Malicious campaign

In these malicious campaigns, the operators have used several file types with the names like:-

  • viber-25164.exe
  • wechat-35355.exe
  • build_9.716-6032.exe
  • setup_164335.exe
  • nox_setup_55606.exe
  • battlefieldsetup_76522.exe

Once these files are executed by the victim, these files start executing the malicious loaders on the compromised system of the victim instead of installing the authentic software.

The threat actors use these malvertising campaigns to target the users by presenting them links to download the fake installers on search engines who are searching for popular software.

Like this, they drop three elements:-

  • A password stealer known as RedLine Stealer.
  • A Chrome extension dubbed “MagnatExtension” to record keystrokes and capture screenshots.
  • An AutoIt-based backdoor that builds remote access on the compromised system.

Targets & Campaign timeline

The primary targets of Magnat are the users from the following countries:-

  • The USA
  • Canada
  • Australia
  • Spain
  • Italy
  • Norway

Here is the timeline analyzed by Cisco TALOS:-

The command-and-control (C2) communications of MagnatExtension is outstanding since the C2 address of this extension is hard-coded. But, with the method in which it arranges a new C2 address from a Twitter search for hashtags like “#aquamamba2019” or “#ololo2019” it accumulates a major drawback.

Here’s what Tiago Pereira, one of the Cisco Talos researchers, said:-

“Based on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that the attacker’s goals are to obtain user credentials, possibly for sale or for his own use in further exploitation.”

While the threat actors will continue to develop and improve the campaigns like this to steal sensitive data and credentials. So, the experts recommended that users should always use robust security mechanisms and tools to stay safe.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....