A widespread malware campaign has recently been detected, affecting over 300,000 users by installing rogue extensions in Google Chrome and Microsoft Edge browsers. This malware is being distributed through trojan software, which users unwittingly download from fake websites that mimic popular software platforms.
According to report, the trojan carries a variety of harmful components. These range from simple adware extensions that manipulate search results to more complex scripts capable of stealing sensitive information and executing various commands. The malware, active since 2021, is typically found on counterfeit download sites that offer add-ons for online games and video content.
The campaign’s significant reach indicates its effectiveness, as it has already compromised a substantial number of users across Chrome and Edge browsers. Central to the campaign’s strategy is the use of malvertising, which pushes users to visit fake websites promoting well-known software such as Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass. These websites trick users into downloading trojans, which then install the malicious browser extensions.
The trojan’s malicious installers are digitally signed and programmed to execute a PowerShell script via a scheduled task. This script downloads and runs the next stage of the payload from a remote server, altering the Windows Registry to force the installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons. These extensions are designed to hijack search queries on Google and Microsoft Bing, redirecting them through servers controlled by the attackers.
One particularly concerning aspect of this malware is that the extensions it installs cannot be disabled by users, even with Developer Mode enabled. Moreover, newer versions of the malware script are designed to prevent browser updates, further entrenching the malware on the infected system.
In addition to redirecting search queries from Ask.com, Bing, and Google, the malware also deploys a local extension downloaded directly from a command-and-control server. This extension has extensive capabilities, including intercepting all web requests, receiving commands and encrypted scripts, and injecting malicious scripts into every page visited by the user.
To mitigate the impact of this malware, affected users are strongly advised to take immediate action by deleting the scheduled tasks that re-enable the malware daily, removing specific Registry keys, and deleting several files and folders from their systems, including:
– C:\Windows\system32\Privacyblockerwindows.ps1
– C:\Windows\system32\Windowsupdater1.ps1
– C:\Windows\system32\WindowsUpdater1Script.ps1
– C:\Windows\system32\Optimizerwindows.ps1
– C:\Windows\system32\Printworkflowservice.ps1
– C:\Windows\system32\NvWinSearchOptimizer.ps1 – 2024 version
– C:\Windows\system32\kondserp_optimizer.ps1 – May 2024 version
– C:\Windows\InternalKernelGrid
– C:\Windows\InternalKernelGrid3
– C:\Windows\InternalKernelGrid4
– C:\Windows\ShellServiceLog
– C:\windows\privacyprotectorlog
– C:\Windows\NvOptimizerLog
This is not the first instance of such a campaign being detected. In December 2023, cybersecurity experts reported a similar trojan installer distributed via torrents. This previous attack also installed malicious browser extensions, but those extensions were disguised as VPN applications intended to carry out “cashback activity hacks.”
To protect yourself from this malware, it’s essential to be cautious when downloading software, especially from unofficial or unfamiliar websites. Always verify the authenticity of the site and the software before proceeding. Keep your browser and security software up to date, and consider using tools that can detect and block suspicious extensions.
Additionally, avoid clicking on links or downloading files from unsolicited emails, and regularly review your browser extensions to ensure they are legitimate.