August 9, 2024 at 11:25AM
A widespread malware campaign installed malicious Google Chrome and Microsoft Edge browser extensions, stealing browsing history and data. Malware employed diverse malvertising themes, infecting victims’ web browsers through fake software installers and digitally signed downloaders. The malware evaded antivirus detection, hijacked browser homepages, and persisted in the system, necessitating manual removal steps for victims.
Based on the meeting notes, a malware campaign was found to have infected over 300,000 web browsers by force-installing malicious extensions for Google Chrome and Microsoft Edge. The malware, which was undetected by antivirus tools, was designed to steal data, execute commands, and perform various malicious activities.
The campaign lured victims into downloading software installers from fake sites, and once installed, they digitally signed with ‘Tommy Tech LTD’. These installers ran a PowerShell script that downloaded a payload from a remote server, modified the Windows registry, and forced the installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons, as well as created a Scheduled Task to load the PowerShell script at different intervals.
The infected extensions were designed to hijack users’ search queries, redirect them to malicious results or advertisement pages, and capture sensitive information. The extensions remained hidden from the browser’s extensions management page, making their removal complicated.
The malware also used various methods to remain persistent on the machine, such as manipulating web browser shortcut links, disabling the browser’s automatic update mechanism, and modifying DLLs used by the browsers to hijack the browser’s homepage. This made the removal process difficult and likely required the uninstalling and reinstalling of the browser.
To remove the infection, victims needed to delete the scheduled task, remove malicious registry entries, and delete the malware files from the system. Reinstalling the browser after the cleanup process was highly recommended due to the invasive modifications performed by the malware.
It’s a critical situation that requires prompt action to protect the affected users and prevent further damage.