Cybersecurity companies are continually scanning the online environment to find new malware threats that could put user privacy at risk and to understand the typical distribution vectors through which such attacks are conducted. Recently, researchers have come across a new piece of malware that resembles strongly other already known credentials stealing threats. However, the analyzed sample seems unique not only in that it targets specifically the Google Chrome browser, unlike other known threats that aim at all popular Internet browsers, but also in the technology that it uses. This new threat is not obfuscated and should theoretically get blocked by anti-malware solutions. However, anti-virus software does not even detect it in most of the cases, which is quite puzzling for malware analysts.
The infection with this new credential harvesting tool happens with the help of a basic dropper. That dropper creates a folder \temp in the current path, which is about 6MB in size and which becomes the malware's parent folder. In this new folder, the dropper creates a simple script named "death.bat" which deletes the /temp directory. Then, the dropper creates six other files in the parent folder consisting of five DLL files and a binary called "virus.exe" that appears to be using cURL. Researchers point out that there are not many other malware threats that are using cURL, which makes the new threat really interesting. Furthermore, the malware's file names are clear, and it uses no obfuscation or encryption. After filling the parent folder, the malware runs the "virus.exe" binary while the batch script that deletes all traces of the malware is executed five seconds later. Next, a message box with a generic error message pops up, as it seems, simply to fool the user.
The analysis of the main payload of the malware reveals that it is a real threat to user privacy. Google Chrome stores not only usernames and passwords but also credit card data. A regular user does not need admin privileges to access the Chrome file in which the browser stores the credentials, which in turn, means that the malware does not need a privilege elevation tool to access that file. Chrome credentials are stored in an SQLite DB file. In order to bypass the browser's protection mechanism, the malware only kills certain Chrome processes, then opens the DB file, performs several SQL queries and reads the information contained in the file. After that, the data is saved and send over to the malware's own Google Form via cURL. In that case, the free web-based app Google Forms is misused by attackers for gathering and storing stolen data.
Based on its operational flow, this new threat cannot be identified as a member of any known malware family that steals Chrome credentials. It is very clever, silent, and fast, it does not create any files on the disk, does not change the registry, and overall, does not cause any damage to the infected computer. On the other hand, it is hard to catch as it uses cURL and Google Forms, and it is, in any case, a serious threat to user privacy as it collects sensitive data like passwords and credit card numbers.