A large-scale malware campaign targeting Google Chrome and Microsoft Edge users has been uncovered by cybersecurity experts at ReasonLabs. This sophisticated attack has resulted in the installation of malicious browser extensions over 300,000 times, putting users’ data and privacy at significant risk.
The Evolution of the Attack
The campaign, active since 2021, has evolved from initially mimicking game add-on download sites to a more complex operation. Currently, attackers are leveraging malicious advertisements in Google search results to lure victims into downloading fake software installers. These installers, bearing a digital signature from “Tommy Tech LTD,” have managed to evade detection by antivirus solutions on VirusTotal.
How the Malware Operates
Instead of providing the advertised software, these installers execute a PowerShell script that downloads and runs malicious payloads from the attackers’ remote servers. The script also modifies the Windows registry to force-install extensions from the Chrome Web Store and Microsoft Edge Add-ons.
Key Malware Actions:
- Creates scheduled tasks for periodic malware updates
- Installs multiple malicious extensions in Chrome and Edge
- Intercepts search queries and redirects traffic through attacker-controlled servers
- Steals browsing history and other sensitive information
- Redirects users to malicious or advertising pages
Persistence and Concealment Techniques
The malware employs sophisticated methods to maintain its presence on infected systems:
- Hides from the browser’s extension management page, even in developer mode
- Modifies browser shortcuts to force-load malicious extensions
- Disables automatic browser updates to prevent security improvements
- Alters browser DLL files to change the default home page
Removal and Prevention
Removing this malware requires a multi-step process:
- Delete suspicious scheduled tasks in Windows Task Scheduler
- Remove malicious registry entries
- Use antivirus software or manually delete malware files from C:\Windows\System32
- Reinstall the browser to ensure complete removal of modifications
This widespread malware campaign underscores the importance of vigilance when downloading software and browser extensions. Users should always verify the authenticity of sources and maintain up-to-date security solutions. As cyber threats continue to evolve, staying informed and practicing good cybersecurity hygiene remains crucial for protecting personal and sensitive information online.
