Malicious Chrome Extension Steals Cookies and Credentials of Bank Customers

Introduction While going through new malware samples in our cloud we can across an interesting payload written in Delphi which unlike traditional banking Trojans uses a malicious chrome extension for stealing sensitive banking information from Banco do Brasil customers. Main activity of this Trojan includes: Downloads and installs Chrome extension files as .txt format Search and modify target of all Google Chrome shortcuts to load malicious extension Disables Google Chrome developer mode extension warning using code from Stackoverflow. Targets Banco do Brasil (www2.bancobrasil.com.br and bb.com.br) customers Steals cookies and credentials using extension Figure 1. Main Activity Flowchart Analysis Delphi file contains URLs in the TEdit field, a timer to start activity and a button with an OnClick event that downloads Chrome extension files. Figure 2. Delphi form First, the callback on the FormShow event is triggered, which will get to the %APPDATA% path, decrypt the “/Microsoft/” string, and generate two random strings and connect them. After that, the timer callback triggers a button callback that, in turn, downloads the extension files from the server. The button callback creates a directory structure path generated earlier by the FormShow callback and sets hidden attributes. It then downloads the remote files, also appends extension ".off" and sets a hidden and read-only attribute for these files. Chrome extension...
Read more