.webp?w=1200&resize=1200,0&ssl=1&description=Malicious+Chrome+Extension+That+Delivers+Weaponized+ZIP+Archive){kind=link}
.webp?w=1600&resize=1600,900&ssl=1 "Malicious Chrome Extension That Delivers Weaponized ZIP Archive")
In August 2024, researchers detected a malicious Google Chrome browser an infection that led to the distribution of LummaC2 stealer malware that utilized a drive-by obtain of a ZIP archive containing an MSI app packaging file, which, when executed, put in the malicious software program on the sufferer’s system.
A MSI file communicates with a distant server to acquire the password required to extract a malicious DLL from a RAR archive and employs a legit executable related to cryptographic instruments to decrypt the archive.
The malicious executable, positioned within the “TroxApp” folder, makes use of DLL sideloading to load the dangerous “rnp.dll” payload, exploiting the Home windows working system’s conduct of looking for DLL information in particular directories, permitting the malicious executable to execute malicious code.
Decoding Compliance: What CISOs Have to Know – Be a part of Free Webinar
The malicious DLL triggered a loader course of that downloaded the LummaC2 stealer after which executed a PowerShell command to fetch the next-stage payload, “02074.bs64,” from the C2 server at two-root[.]com/02074.bs64 and decrypt it utilizing two rounds of XOR operations.
A malicious Chrome extension “Save to Google Drive” installs LummaC2 malware and may deal with monetary transactions for Fb, Coinbase, and Google Pay accounts.
It could actually set and get account balances, generate addresses, and provoke cryptocurrency withdrawals by sending JSON knowledge containing transaction particulars.
The extension collects {hardware} and system knowledge, browser info, and cookies, generates a novel system identifier, and sends all this info to a distant server.
Whereas a malicious browser extension injects code to open invisible popups containing URLs from C2 servers.
The script displays these popups for content material associated to funds, logins, and advert administration, probably stealing person enter or manipulating displayed content material.
It targets e-mail platforms (Outlook, Gmail, Yahoo Mail) by injecting and manipulating net content material primarily based on configurations, which permits it to probably alter e-mail contents, elevating issues about stealing delicate knowledge like 2FA verification codes.
The “makeScreenShot” perform in “proxy.js” captures a screenshot of the lively tab in a compromised Chrome browser, encodes it as a base64 string, and sends it to a command-and-control server, which allows the attackers to watch the sufferer’s looking exercise and probably steal delicate info.
In response to eSentire, the malicious actors employed a DLL side-loading method to deploy a LummaC2 stealer and a Chrome extension, which labored in tandem to extract Bitcoin addresses from blockchain and mempool URLs, subsequently decoding them utilizing Base58 to steal delicate info.
Obtain Free Incident Response Plan Template for Your Safety Group – Free Obtain