Saturday, December 14, 2024
HomeCyber Security NewsBeware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

Published on

SIEM as a Service

In August 2024, researchers detected a malicious Google Chrome browser infection that led to the distribution of LummaC2 stealer malware that utilized a drive-by download of a ZIP archive containing an MSI app packaging file, which, when executed, installed the malicious software on the victim’s system.

A MSI file communicates with a remote server to obtain the password required to extract a malicious DLL from a RAR archive and employs a legitimate executable associated with cryptographic tools to decrypt the archive.

The malicious executable, located in the “TroxApp” folder, uses DLL sideloading to load the harmful “rnp.dll” payload, exploiting the Windows operating system’s behavior of searching for DLL files in specific directories, allowing the malicious executable to execute malicious code.

- Advertisement - SIEM as a Service

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The malicious DLL triggered a loader process that downloaded the LummaC2 stealer and then executed a PowerShell command to fetch the next-stage payload, “02074.bs64,” from the C2 server at two-root[.]com/02074.bs64 and decrypt it using two rounds of XOR operations.

The overview of the PowerShell command and the decrypted next-stage payload 

A malicious Chrome extension “Save to Google Drive” installs LummaC2 malware and can handle financial transactions for Facebook, Coinbase, and Google Pay accounts.

It can set and get account balances, generate addresses, and initiate cryptocurrency withdrawals by sending JSON data containing transaction details.

The extension collects hardware and system data, browser information, and cookies, generates a unique device identifier, and sends all this information to a remote server.

Retrieving machine information 

While a malicious browser extension injects code to open invisible popups containing URLs from C2 servers.

The script monitors these popups for content related to payments, logins, and ad management, potentially stealing user input or manipulating displayed content.

It targets email platforms (Outlook, Gmail, Yahoo Mail) by injecting and manipulating web content based on configurations, which allows it to potentially alter email contents, raising concerns about stealing sensitive data like 2FA verification codes. 

Function responsible for the modification of the email body content 

The “makeScreenShot” function in “proxy.js” captures a screenshot of the active tab in a compromised Chrome browser, encodes it as a base64 string, and sends it to a command-and-control server, which enables the attackers to monitor the victim’s browsing activity and potentially steal sensitive information.

According to eSentire, the malicious actors employed a DLL side-loading technique to deploy a LummaC2 stealer and a Chrome extension, which worked in tandem to extract Bitcoin addresses from blockchain and mempool URLs, subsequently decoding them using Base58 to steal sensitive information.

Download Free Incident Response Plan Template for Your Security Team – Free Download

Varshini
Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...