Backdoors And Malicious Chrome Extensions Spread by New Malvertising Campaigns

Backdoors And Malicious Chrome Extensions Spread by New Malvertising Campaigns

Fake installers for famous applications and games, including Viber, NoxPlayer, WeChat, and Battlefield, have been used by a new threat actor to deceive users into downloading a new backdoor and an undocumented dangerous Google Chrome extension to steal credentials and data from compromised computers while also maintaining persistent remote access.

According to Cisco Talos, the malware payloads were ascribed to an unknown actor using the pseudonym “magnat,” who noted that the developers of these two families had constantly been developing and improving them. The cyberattacks are thought to have started in late 2018, with sporadic activity seen towards the end of 2019 and early 2020, followed by new increases since April 2021. The targeted users are mainly from Canada, Australia, Spain, Italy, Norway, and the United States.

The use of malvertising to target people searching for popular software on search engines provides links to download bogus installers that drop a password stealer named RedLine Stealer is a significant component of the incursions. RedLine Stealer is a Chrome extension known as “MagnatExtension” that records keystrokes and screenshots, as well as an AutoIt-based backdoor that grants remote access to the system.

MagnatExtension, which is disguised as Google’s Safe Browsing, also has useful capabilities to attackers, such as the ability to collect form data, harvest cookies, and run arbitrary JavaScript code. According to Talos’ analysis of telemetry data, the first sample of the browser add-on was discovered in August 2018.

The command-and-control (C2) communications of the extension are also noteworthy. Although the C2 address is hard-coded, the current C2 can update it with a list of other C2 domains. In the case of a failure, it falls back to a backup technique of acquiring a new C2 address by searching Twitter for hashtags like “#aquamamba2019” or “#ololo2019.”

The domain name is then created by concatenating the initial letters of each word in the accompanying tweet text, resulting in “Squishy turbulent areas terminate active round engines after dank years. Industrial creepy units” becomes “stataready[.]icu.” When an active C2 server is found, the vacuumed data is exfiltrated in the body of an HTTP POST request as an encrypted JSON string, with the encryption key hard-coded in the decryption function.

According to Cisco Talos researcher Tiago Pereira, the attacker intends to gather user credentials, perhaps for sale or for personal use in future exploitation, based on the employment of password stealers and a Chrome extension that looks like a banking trojan. The reason for installing an RDP backdoor is unknown. The selling of RDP access, the use of RDP to go beyond online service security mechanisms based on IP address or other endpoint installed tools, or the use of RDP for further exploitation on systems that look attractive to the attacker are the most likely scenarios.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.