Infosec handlers diary blog – second google chrome extension banker malware in two weeks cnn money stock market futures


It seems that Google Chrome extensions have become quite the tool for banking malware fraudsters fraction worksheets 3rd grade. Two weeks ago, an offender phoned a victim and asked him to install a supposedly new bank security module that, instead, was a malicious extension hosted at the Google Chrome app store aimed to steal victim’s banking credentials [1] 1 usd to chf. This week I received a report about a targeted email phishing campaign against another company with a suspicious attachment usa today sports odds. The attachments, after the analysis detailed in today’s diary, revealed itself to be another Google Chrome extension prepared to steal banking credentials, credit card, CVV numbers and fraud “compensation tickets” (a popular and particular Brazilian payment method; we call it “boleto”) to divert payments.

To increase the success rate and entice the victim’s attention to the message, scammers used a previously hijacked company email account to threaten employees with a fake layoff list attached to the message in a “zip” file that contained the first part of the malware.

I named it IDKEY due to the name of the extension it deploys.

After analyzing many different malware parts and lots of obfuscated code, it was possible to understand the threat’s flow, since the phishing e-mail to the malicious actions, as seen in Figure 1 1 usd to zmk. A textual description can be seen below:

• The e-mail attachment “zip” file contains a “.vbs” obfuscated script that, once executed, collects system information and send to a C&C server;

• Based on the received information, the C&C server decides whether the victim machine is a virtual machine (VM) futures market hours today. If so, returns an URL to a non-malicious JPEG file usd rmb exchange rate. Otherwise, returns an URL to the second part of the malware;

• The VBE script makes additional system checks and downloads a “zip” file (a real one this time) which contains a “Chrome” directory and a DLL;

• The malicious extensions, called IDKEY STOR (very suggestive name in English) starts to monitor all visited websites to identify sensitive information convert malawi kwacha to usd. When it matches specific strings, the fraud begins;

• When the victim generates a compensation ticket (the “boleto” we talked earlier) which has a barcode, the malware intercepts the page loading, communicates with C&C and asks for a fraudulent barcode number binary joke. It then communicates with an open API on another financial institution in Brazil and has it generate a barcode image and overwrites the original one futures markets today. As result, the payment will be diverted to an account chosen by fraudsters.

One of the first malware actions done by the VBS attached to the phishing e-mail is collecting a bunch of machine information and sending it to the C&C server, as shown in Figures 2 and 3.

The result for this HTTP Post request was the URL “hxxp://” which points to a regular JPEG file – a clear strategy to mislead sandboxes. To bypass this control, it was enough to replace “VMWare” terms in the request to something else, as shown in Figure 4. This time, C&C returned us a URL to the next piece of malware.

Another part of the malware that caught my attention was how the Google Chrome Extension JavaScript code was obfuscated. It uses an array of strings in hexadecimal followed by a function that reorders the array. The array is then used all over the code, as seen in Figure 5. I saw this approach other times, but now I had to decode the source before advancing. It was not possible to read it otherwise.

Alas, reading the code is still far from easy because of the array reference approach used. To overcome this, it was necessary to create a “decode” function to map and replace all ‘array[“position”]’ references (like ‘_0xb33d[“0x0”]’), to their respective array position, as seen in Figure 7.

Loading this code, we had the decoded JavaScript printed to the console, as seen in Figure 8; it was finally possible to understand the malicious intentions prepared and described in this article.

While it is extremely necessary for developers, the option of manually loading Google Chrome extensions may pose a risk to the regular user who should be aware of browser warnings about extensions in developer mode, as in Figure 9 investing futures market. And again [1], in my opinion, Chrome should restrict extensions access to sensitive form fields, like passwords, unless it is explicitly consented by the user.

All materials are found on open spaces of a network the Internet as freely extended and laid out exclusively in the fact-finding purposes. If you are what lawful legal owner or a product and against its placing on the given site, inform us and we will immediately remove the given material. The administration of a site does not bear responsibility for actions of the visitors breaking copyrights.