Cyber Security News

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to the distribution of LummaC2 stealer malware that utilized a drive-by download of a ZIP archive containing an MSI app packaging file, which, when executed, installed the malicious software on the victim’s system.

A MSI file communicates with a remote server to obtain the password required to extract a malicious DLL from a RAR archive and employs a legitimate executable associated with cryptographic tools to decrypt the archive.

The malicious executable, located in the “TroxApp” folder, uses DLL sideloading to load the harmful “rnp.dll” payload, exploiting the Windows operating system’s behavior of searching for DLL files in specific directories, allowing the malicious executable to execute malicious code.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The malicious DLL triggered a loader process that downloaded the LummaC2 stealer and then executed a PowerShell command to fetch the next-stage payload, “02074.bs64,” from the C2 server at two-root[.]com/02074.bs64 and decrypt it using two rounds of XOR operations.

The overview of the PowerShell command and the decrypted next-stage payload

A malicious Chrome extension “Save to Google Drive” installs LummaC2 malware and can handle financial transactions for Facebook, Coinbase, and Google Pay accounts.

It can set and get account balances, generate addresses, and initiate cryptocurrency withdrawals by sending JSON data containing transaction details.

The extension collects hardware and system data, browser information, and cookies, generates a unique device identifier, and sends all this information to a remote server.

Retrieving machine information

While a malicious browser extension injects code to open invisible popups containing URLs from C2 servers.

The script monitors these popups for content related to payments, logins, and ad management, potentially stealing user input or manipulating displayed content.

It targets email platforms (Outlook, Gmail, Yahoo Mail) by injecting and manipulating web content based on configurations, which allows it to potentially alter email contents, raising concerns about stealing sensitive data like 2FA verification codes

Function responsible for the modification of the email body content

The “makeScreenShot” function in “proxy.js” captures a screenshot of the active tab in a compromised Chrome browser, encodes it as a base64 string, and sends it to a command-and-control server, which enables the attackers to monitor the victim’s browsing activity and potentially steal sensitive information.

According to eSentire, the malicious actors employed a DLL side-loading technique to deploy a LummaC2 stealer and a Chrome extension, which worked in tandem to extract Bitcoin addresses from blockchain and mempool URLs, subsequently decoding them using Base58 to steal sensitive information.

Download Free Incident Response Plan Template for Your Security Team – Free Download

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

11 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

11 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

14 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

17 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

18 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago