Malware Extensions Infect Users Worldwide
Malware extensions target users globally since early 2025. Attackers use phishing emails to spread these extensions to Chromium-based browsers. For example, over 700 users in Brazil and beyond got infected. The campaign, dubbed Operation Phantom Enigma, steals authentication data from victims.
How the Attack Begins
Phishing emails disguise themselves as invoices from hacked company servers. These emails contain links or attachments that start the attack. When users click, a batch script downloads a PowerShell script. Consequently, this script deploys the malicious extension onto their systems.
Malware Deployment Tactics
The PowerShell script disables User Account Control (UAC) for persistence. It checks for virtual environments and software like Diebold Warsaw. Additionally, it connects to a remote server for further commands. This setup ensures the malware maintains control over infected machines.
Extension Capabilities
The extensions support commands like PING and START_SCREEN. They install automatically via the ExtensionInstallForcelist policy. For instance, they target Banco do Brasil pages to steal tokens and display fake QR codes or loading screens. As a result, attackers gain unauthorized access.
Global Reach and Impact
The malware hit 70 unique companies across Brazil, Colombia, and other regions. It uses German words in commands, suggesting reused code. A report notes the focus remains on Brazilian bank users. Therefore, the threat affects a wide range of users and businesses.
Unique Techniques in Latin America
Attackers leverage Windows Installer and Inno Setup files. They distribute MeshCentral Agent or PDQ Connect Agent alongside extensions. For example, an open directory reveals the “EnigmaCyberSecurity” identifier. This shows innovative and discreet distribution methods in the region.
Risks to Users and Companies
The main goal is to steal bank authentication data. Compromised servers amplify the attack’s reach and success. Moreover, the use of legitimate tools hides the malware from detection. This increases the difficulty for users and companies to mitigate the threat.
Broader Implications for Security
The campaign highlights evolving phishing techniques. Attackers exploit trusted platforms to evade security measures. As a result, regular users and companies face heightened risks. This underscores the need for constant vigilance against such threats.
Preventing Malware Extension Attacks
To stop malware extensions, avoid clicking email links from unknown sources. For example, verify invoice emails with the sender directly. Use updated antivirus software to detect suspicious scripts and enable browser security settings. Additionally, monitor for unusual extension activity and educate staff on phishing signs. These steps help protect against data theft and infections.
Sleep well, we got you covered.
