Summary:
Researchers at ReasonLabs have uncovered details of a ongoing widespread malware campaign that is forcefully installing malicious browser extensions on targeted endpoints. To date, ReasonLabs has observed atleast 300,000 impacted users across Google Chrome and Microsoft Edge. In the latest campaign, actors are setting up domains hosting fake installers for software like Roblox FPS Unlocker, TikTok Video Downloader, YouTube downloader, VLC video player, Dolphin Emulator, and KeePass password manager to infect unsuspecting end users with trojans designed to install malicious browser extensions.


“The executables downloaded from the fake websites do not even attempt to install the program the user wanted. In some newer versions, we’ve witnessed installations that pull the original program from a Google storage link, using API to download it. Once a user downloads the program from the lookalike website, the program registers a scheduled task using a pseudonym that follows the pattern of a PowerShell script file name, like Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, and NvOptimizerTaskUpdater_V2,” stated researchers in their blog post.


The program is configured to run a PowerShell script which is loaded by the Scheduled task at different intervals. For its part, the PowerShell script is designed to add registry values to force the installation of extensions from the store (HKLM: \SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist, HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist). Through these extensions, threat actors are able to hijack user’s search queries and redirect them to malicious results or advertisement pages. The extensions are also capable of capturing login credentials, browsing history, and other sensitive information, monitoring the victim's online activity, and executing commands received from the command and control (C2) server. Notably, the extensions remain hidden from the browser's extensions management page, even when developer mode is activated, making removal difficult.


Security Officer Comments:


Researchers state that the installers are digitally signed by ‘Tommy Tech LTD.’ As such, they have successfully managed to evade detection by most AV engines on VirusTotal. Taking a look at the PowerShell scripts employed in this campaign, some of the newer versions are designed to disable the browser's automatic update mechanism when the browser is started, preventing Chrome's built-in protections from being updated and detecting the payloads. This also prevents the installation of security updates, leaving victim’s browsers susceptible to newly discovered vulnerabilities. Another interesting feature of the PowerShell scripts is that they will modify the DLLs used by Google Chrome and Microsoft Edge to hijack the browser's homepage to one under the threat actor's control, opening the door for various malicious operations.

Suggested Corrections:
Impacted users have been advised to remove the scheduled task from the Windows Task Scheduler, remove the malicious registry entries that are forcing the extensions on browsers, and delete the the following files and folders from the system:

• C:\Windows\system32\Privacyblockerwindows.ps1
• C:\Windows\system32\Windowsupdater1.ps1
• C:\Windows\system32\WindowsUpdater1Script.ps1
• C:\Windows\system32\Optimizerwindows.ps1
• C:\Windows\system32\Printworkflowservice.ps1
• C:\Windows\system32\NvWinSearchOptimizer.ps1 - 2024 version
• C:\Windows\system32\kondserp_optimizer.ps1 - May 2024 version
• C:\Windows\InternalKernelGrid
• C:\Windows\InternalKernelGrid3
• C:\Windows\InternalKernelGrid4
• C:\Windows\ShellServiceLog
• C:\windows\privacyprotectorlog
• C:\Windows\NvOptimizerLog

For detailed instructions, please defer to ReasonLabs’ blog post below:

https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

Link(s):
https://www.bleepingcomputer.com/ne...-extensions-on-300-000-browsers-patches-dlls/