Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to the distribution of LummaC2 stealer malware that utilized a drive-by download of a ZIP archive containing an MSI app packaging file, which, when executed, installed the malicious software on the victim’s system.

A MSI file communicates with a remote server to obtain the password required to extract a malicious DLL from a RAR archive and employs a legitimate executable associated with cryptographic tools to decrypt the archive.

The malicious executable, located in the “TroxApp” folder, uses DLL sideloading to load the harmful “rnp.dll” payload, exploiting the Windows operating system’s behavior of searching for DLL files in specific directories, allowing the malicious executable to execute malicious code.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The malicious DLL triggered a loader process that downloaded the LummaC2 stealer and then executed a PowerShell command to fetch the next-stage payload, “02074.bs64,” from the C2 server at two-root[.]com/02074.bs64 and decrypt it using two rounds of XOR operations.

A malicious Chrome extension “Save to Google Drive” installs LummaC2 malware and can handle financial transactions for Facebook, Coinbase, and Google Pay accounts.

It can set and get account balances, generate addresses, and initiate cryptocurrency withdrawals by sending JSON data containing transaction details.

The extension collects hardware and system data, browser information, and cookies, generates a unique device identifier, and sends all this information to a remote server.

While a malicious browser extension injects code to open invisible popups containing URLs from C2 servers.

The script monitors these popups for content related to payments, logins, and ad management, potentially stealing user input or manipulating displayed content.

It targets email platforms (Outlook, Gmail, Yahoo Mail) by injecting and manipulating web content based on configurations, which allows it to potentially alter email contents, raising concerns about stealing sensitive data like 2FA verification codes. 

The “makeScreenShot” function in “proxy.js” captures a screenshot of the active tab in a compromised Chrome browser, encodes it as a base64 string, and sends it to a command-and-control server, which enables the attackers to monitor the victim’s browsing activity and potentially steal sensitive information.

According to eSentire, the malicious actors employed a DLL side-loading technique to deploy a LummaC2 stealer and a Chrome extension, which worked in tandem to extract Bitcoin addresses from blockchain and mempool URLs, subsequently decoding them using Base58 to steal sensitive information.

Download Free Incident Response Plan Template for Your Security Team – Free Download