Malicious Chrome Extension

Several malvertising campaigns have been discovered recently by the security experts of Cisco Talos. In these malvertising campaigns, it has been detected that the threat actors have been using the fake installers of popular apps and games like:-

  • WeChat
  • Viber
  • Battlefield
  • NoxPlayer

Hackers have been using these fake installers to trick their victims into downloading a malicious Google Chrome extension with a backdoor. 

All these malware families are in constant development and improvement by their developers. And the malware payloads were attributed by the researchers to an unknown actor with “magnat” alias.

The primary objective of the hacker is to steal sensitive data, credentials and maintain remote access to the compromised system.

Pieces of malware

On the victim’s compromised system, the threat actor executes three pieces of malware by running the fake installers, and here they are mentioned below:-

  • An undocumented malicious browser extension.
  • A password stealer.
  • A “backdoor” for setting up remote access.

Malicious campaign

In these malicious campaigns, the operators have used several file types with the names like:-

  • viber-25164.exe
  • wechat-35355.exe
  • build_9.716-6032.exe
  • setup_164335.exe
  • nox_setup_55606.exe
  • battlefieldsetup_76522.exe

Once these files are executed by the victim, these files start executing the malicious loaders on the compromised system of the victim instead of installing the authentic software.

The threat actors use these malvertising campaigns to target the users by presenting them links to download the fake installers on search engines who are searching for popular software.

Like this, they drop three elements:-

  • A password stealer known as RedLine Stealer.
  • A Chrome extension dubbed “MagnatExtension” to record keystrokes and capture screenshots.
  • An AutoIt-based backdoor that builds remote access on the compromised system.

Targets & Campaign timeline

The primary targets of Magnat are the users from the following countries:-

  • The USA
  • Canada
  • Australia
  • Spain
  • Italy
  • Norway

Here is the timeline analyzed by Cisco TALOS:-

The command-and-control (C2) communications of MagnatExtension is outstanding since the C2 address of this extension is hard-coded. But, with the method in which it arranges a new C2 address from a Twitter search for hashtags like “#aquamamba2019” or “#ololo2019” it accumulates a major drawback.

Here’s what Tiago Pereira, one of the Cisco Talos researchers, said:-

“Based on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that the attacker’s goals are to obtain user credentials, possibly for sale or for his own use in further exploitation.”

While the threat actors will continue to develop and improve the campaigns like this to steal sensitive data and credentials. So, the experts recommended that users should always use robust security mechanisms and tools to stay safe.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Posted by Charlie