Extension Trojan Malware
A large-scale malware campaign has been detected. It targets users by installing fraudulent Google Chrome and Microsoft Edge extensions through a Trojan distributed via fake websites posing as popular software. The Trojan deploys a range of payloads, from basic adware extensions that hijack searches to more advanced unsafe scripts that install local extensions designed to harvest personal data and execute various commands. This Trojan, active since 2021, originates from counterfeit download websites offering add-ons for online games and videos.
Table of Contents
Hundreds of Thousands of Impacted Users
The malware and its associated extensions have impacted over 300,000 users on Google Chrome and Microsoft Edge, demonstrating the widespread nature of the threat.
Central to this campaign is the use of malvertising to direct users to deceptive websites that mimic well-known software like Roblox FPS Unlocker, YouTube, VLC media player, Steam or KeePass. These sites trick users searching for these programs into downloading a Trojan, which then installs the fraudulent browser extensions.
The corrupted installers, which are digitally signed, set up a scheduled task that triggers a PowerShell script. This script is accountable for downloading and executing the next-stage payload from a remote server.
Attackers Install New Browsers on the Compromised Devices
This involves altering the Windows Registry to enforce the insertion of extensions from the Chrome Web Store and Microsoft Edge Add-ons, which can hijack search queries on Google and Microsoft Bing, redirecting them through servers controlled by the attackers.
The extension is designed to be undeletable, even with Developer Mode enabled. Recent versions of the script also disable browser updates. Additionally, it deploys a local extension downloaded directly from a Command-and-Control (C2) server, equipped with extensive capabilities to intercept all Web requests, relay them to the server, execute commands and encrypted scripts and inject scripts into every Web page.
Furthermore, it hijacks search queries from Ask.com, Bing, and Google, rerouting them through its servers before passing them on to other search engines.
Affected Users Should Take Action
Users affected by the malware attack should take the following steps to mitigate the issue:
- Delete the scheduled task that reactivates the malware daily.
- Remove the relevant Registry keys.
- Delete the following files and folders from the system:
C:\Windows\system32\Privacyblockerwindows.ps1
C:\Windows\system32\Windowsupdater1.ps1
C:\Windows\system32\WindowsUpdater1Script.ps1
C:\Windows\system32\Optimizerwindows.ps1
C:\Windows\system32\Printworkflowservice.ps1
C:\Windows\system32\NvWinSearchOptimizer.ps1 (2024 version)
C:\Windows\system32\kondserp_optimizer.ps1 (May 2024 version)
C:\Windows\InternalKernelGrid
C:\Windows\InternalKernelGrid3
C:\Windows\InternalKernelGrid4
C:\Windows\ShellServiceLog
C:\windows\privacyprotectorlog
C:\Windows\NvOptimizerLog
This type of attack is not unprecedented. In December 2023, a similar campaign was reported, involving a Trojan installer distributed through torrents. This installer was disguised as a VPN app but was actually designed to execute a 'cashback activity hack.'
