Thursday, April 18, 2024

Beware of new Malicious Chrome Extension that Delivers Password Stealer Malware

Several malvertising campaigns have been discovered recently by the security experts of Cisco Talos. In these malvertising campaigns, it has been detected that the threat actors have been using the fake installers of popular apps and games like:-

  • WeChat
  • Viber
  • Battlefield
  • NoxPlayer

Hackers have been using these fake installers to trick their victims into downloading a malicious Google Chrome extension with a backdoor. 

All these malware families are in constant development and improvement by their developers. And the malware payloads were attributed by the researchers to an unknown actor with “magnat” alias.

The primary objective of the hacker is to steal sensitive data, credentials and maintain remote access to the compromised system.

Pieces of malware

On the victim’s compromised system, the threat actor executes three pieces of malware by running the fake installers, and here they are mentioned below:-

  • An undocumented malicious browser extension.
  • A password stealer.
  • A “backdoor” for setting up remote access.

Malicious campaign

In these malicious campaigns, the operators have used several file types with the names like:-

  • viber-25164.exe
  • wechat-35355.exe
  • build_9.716-6032.exe
  • setup_164335.exe
  • nox_setup_55606.exe
  • battlefieldsetup_76522.exe

Once these files are executed by the victim, these files start executing the malicious loaders on the compromised system of the victim instead of installing the authentic software.

The threat actors use these malvertising campaigns to target the users by presenting them links to download the fake installers on search engines who are searching for popular software.

Like this, they drop three elements:-

  • A password stealer known as RedLine Stealer.
  • A Chrome extension dubbed “MagnatExtension” to record keystrokes and capture screenshots.
  • An AutoIt-based backdoor that builds remote access on the compromised system.

Targets & Campaign timeline

The primary targets of Magnat are the users from the following countries:-

  • The USA
  • Canada
  • Australia
  • Spain
  • Italy
  • Norway

Here is the timeline analyzed by Cisco TALOS:-

The command-and-control (C2) communications of MagnatExtension is outstanding since the C2 address of this extension is hard-coded. But, with the method in which it arranges a new C2 address from a Twitter search for hashtags like “#aquamamba2019” or “#ololo2019” it accumulates a major drawback.

Here’s what Tiago Pereira, one of the Cisco Talos researchers, said:-

“Based on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that the attacker’s goals are to obtain user credentials, possibly for sale or for his own use in further exploitation.”

While the threat actors will continue to develop and improve the campaigns like this to steal sensitive data and credentials. So, the experts recommended that users should always use robust security mechanisms and tools to stay safe.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles