As part of an adware campaign aimed at Russian users of Google Chrome, Opera, and Mozilla Firefox browsers, a malicious browser extension with 350 different variants is posing as a Google Translate add-on.
Zimperium, a mobile security company, gave the malware family the name "ABCsoup" and explained that the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores."
Rogue browser add-ons are distributed with the same extension ID as the official Google Translate add-on, which is "aapbdbdomjkkjkaonfhkkikfgjllcleb." This is done in an attempt to deceive users into thinking that they have installed a legitimate extension on their browsers.
The browser's official web stores do not currently host the extensions for purchase or download. Instead, they are delivered to the victim's computer via a variety of Windows executables that install the add-on on the browser used by the victim.
If the user being targeted already has the Google Translate extension installed, it will replace the legitimate version with the malicious variant due to the higher version numbers of the malicious variant and the original version (30.2.5 vs. 2.0.10).
According to a researcher from Zimperium named Nipun Gupta, "Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs."
All of the observed variants of the extension are geared toward serving pop-ups, harvesting personal information in order to deliver target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as spyware to capture keystrokes and monitor web browser activity. All of these activities are carried out in an effort to generate revenue.
The primary purpose of ABCsoup is to search the currently open websites in the browser for Russian social networking services such as Odnoklassniki and VK. If either of these services is found, then ABCsoup will collect the first and last names, birth dates, and gender of its users before sending this information to a remote server.
This information is not only used by the malware to serve personalized advertisements, but the extension also comes with the capability to inject custom JavaScript code based on the websites that are opened. Included in this list are YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, all of which point to a significant emphasis on Russia.
Zimperium has attributed the campaign to a "well-organized group" of Eastern European and Russian origin. The extensions were designed to target Russian users given the wide variety of local domains that were targeted in the campaign.
According to Gupta, "This malware was purposefully designed to target all different kinds of users and it accomplishes its purpose of retrieving user information." "It is simple to use the injected scripts to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration," the author writes.
Post a Comment
Your suggestions and comments are welcome