Tuesday, March 5, 2024

Malicious Chrome Extension Launch MitM Attack to Harvest User Logins & Passwords and Steal Money

Newly Discovered Malicious chrome extension performing Man-in-the-Middle Attack to harvest users log in and password to steal money from Victims Bank Accounts.

Recently an analysis of suspicious extensions from Chrome Web Store, an extension called Desbloquear Conteúdo(‘Unblock Content’ in Portuguese) has been discovered.

The malicious Extension specifically targets users of Brazilian online banking services and fraudulent attempt primarily discovered in Brazil.

This malicious chrome extension predominantly targeting online banking service and compromised users using various techniques.

During the Man-in-the-Middle attack, attacker re-directs a victim’s web traffic into a spoof page by modifying DNS settings.

In this case, The victim believes they are connected to their bank’s website and victims can’t realize anything suspicious, but the traffic is re-directed through the attacker’s site that allows the attacker to gather any personal data such as password, PIN, username while entered by the victim.

How Does This Malicious Chrome Extension Works

Malicious chrome extension using obfustication technique to evade the antivirus detection but its source code didn’t obfuscate.

It uses WebSocket protocol for data communication to make it more private and the C&C server will act as a proxy server.

During the Man-in-the-Middle attack, whenever victims visiting the Brazilian bank website, malicious extension redirects the traffic into attacker server.

Desbloquear Conteúdo Extension contains 2 Javascript fundo.js, pages.js to perform two difference operation to control the vicitms.

fundo.js initially start establishing the web socket connection using the function called function websocket_init().

Later it downloads the data from the server and stored it in chrome. storage later it contacting the Command & Control server to receive the IP address where the user traffic will be redirected.

According to Kaspersky, It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

Another pages.js downloads the some of the scripts from the domain ganalytics[.]ga and launches them on the banks’ sites.

A script called cef.js add specific HTML code to the main page of the online banking system and the connected server needed to collect the one-time passwords used for authentication on the bank’s site.

Once the user accessing the bank login page, , the script creates a clone of the ‘Enter’ button with a click this button Function which is overlaid and eventually victims will click the button.

Finally, the password to the user’s account is sent to the online banking system as well as to the malicious server.


Latest articles

GTPDOOR – Previously Unknown Linux Malware Attack Telecom Networks

Researchers have discovered a new backdoor named GTPDOOR that targets telecommunication network systems within...

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles