Trojan Infects Browser Extensions After Disabling Integrity Checks
Security researchers have discovered a new Trojan program dubbed Razy that installs itself as a browser extension or infects existing browser extensions after disabling integrity checks.
According to researchers from Kaspersky Lab, Razy is distributed via malicious advertisements on websites or through free file-hosting services where it poses as legitimate applications people might search for.
The Trojan’s main goal appears to be cryptocurrency theft. It monitors for cryptocurrency wallet addresses displayed on websites and replaces them with an address controlled by its creators. It spoofs images of QR codes that link to cryptocurrency wallets and modifies the websites of cryptocurrency exchanges. Finally, it injects fake links into search engine results on Google and Yandex.
Razy appears to be aimed primarily at Russian users, but its infection of Google Chrome, Mozilla Firefox and Yandex Browser is actually its most dangerous feature because it can be replicated by other malware authors.
The Trojan uses a slightly different approach for each browser. For Firefox, it copies a malicious extension called Firefox Protection, then edits several user profile configuration files to enable it inside the browser without user confirmation.
For Yandex Browser, it disables extension integrity checking by modifying and renaming one of the program’s dll files. It then disables browser updates, which includes updates for extensions, by editing several registry keys and proceeds to install itself as an extension called Yandex Protect. If such an extension already exists, it replaces that extension with a copy of itself.
The infection method for Chrome is similar because Yandex Browser is based on the Chromium open source project, just like Google Chrome. However, the modified files and registry keys have different names.
It also seems that in the case of Google Chrome the Trojan modifies existing extensions rather than attempting to install itself as one. This is most likely done because the browser has protections against extensions that are not installed through the Chrome Web Store.
“We have encountered cases where different Chrome extensions were infected,” the Kaspersky Lab researchers said in a blog post. “One extension in particular is worth mentioning: Chrome Media Router is a component of the service with the same name in browsers based on Chromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions.”
In addition to cryptocurrency theft, Razy injects videos and rogue advertisements into different websites, as well as errors or warnings that lead to phishing sites. It even spoofs the donation requests displayed on Wikipedia.com and displays fake offers for tokens on Telegram’s website.
Malvertisement Distributes Shlayer Trojan to Mac Users
Up to 5 million Mac users have been the target of a recent malvertising attack that injected fake Flash Player warnings into websites to distribute a Trojan program called Shlayer.
Using fake Flash Player updates to trick Mac users into installing malware is not a new technique, but the more interesting aspect is how this particular attack group, dubbed VeryMal, bypassed the defenses of advertising networks to get their malicious advertisement to users.
VeryMal’s JavaScript code served to networks looked harmless, but it leveraged the HTML5 Canvas API to extract additional code hidden inside a non-suspicious image. This technique of hiding secrets, or in this case code, inside images is called steganography.
“VeryMal has run multiple campaigns in waves utilizing the veryield-malyst domain as their redirector since August of last year—this recent one being the most notable due to the steganography that was leveraged for client-side obfuscation,” researchers from Confiant said in a blog post.
“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” the researchers said. “The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”
