Extension Trojan Malware: A Growing Threat to Google Chrome and Microsoft Edge Users
A new wave of malware has been detected targeting users of Google Chrome and Microsoft Edge by installing rogue browser extensions through a trojan distributed via fake websites. This campaign, which has been active since 2021, leverages imitation websites posing as popular software download pages to trick unsuspecting users into downloading malicious installers.
Table of Contents
The Threat Landscape
The malware, first identified by ReasonLabs, ranges from relatively simple adware extensions that hijack search results to more sophisticated scripts capable of stealing private data and executing unauthorized commands on infected systems. The trojan has already affected over 300,000 users, highlighting the widespread impact of this campaign.
At the core of this threat is the use of malvertising, where attackers create lookalike websites promoting well-known software such as Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass. Users searching for these programs may be lured into downloading a trojan that serves as a conduit for installing malicious browser extensions.
Once installed, these digitally signed malicious installers register a scheduled task on the victim’s system, which triggers a PowerShell script to download and execute additional payloads from a remote server. These payloads include modifications to the Windows Registry, forcing the installation of extensions from the Chrome Web Store and Microsoft Edge Add-ons. These extensions are then used to hijack search queries on Google and Microsoft Bing, redirecting them through attacker-controlled servers.
How the Malware Operates
The malicious extensions installed by this trojan are not easily removable by users, even with Developer Mode enabled. Recent versions of the script have become even more dangerous by removing browser updates, further entrenching the malware on infected systems.
Additionally, a local extension is launched from a command-and-control (C2) server, equipped with extensive capabilities. It intercepts all web requests, sends them to the server, receives commands and encrypted scripts, and injects malicious code into web pages. The malware also hijacks search queries from popular engines like Ask.com, Bing, and Google, funneling them through its servers before redirecting them to other search engines.
How to Remove the Extension Trojan Malware
If you suspect that your system has been compromised by this malware, it is crucial to take immediate action to mitigate the damage. Follow these steps to remove the malware and restore your system:
- Delete the Scheduled Task: Locate and delete the scheduled task that reactivates the malware daily.
- Remove Registry Keys: Access the Windows Registry and remove any keys associated with the malware.
- Delete Malicious Files and Folders: Remove the following files and directories from your system:
C:\Windows\system32\Privacyblockerwindows.ps1C:\Windows\system32\Windowsupdater1.ps1C:\Windows\system32\WindowsUpdater1Script.ps1C:\Windows\system32\Optimizerwindows.ps1C:\Windows\system32\Printworkflowservice.ps1C:\Windows\system32\NvWinSearchOptimizer.ps1(2024 version)C:\Windows\system32\kondserp_optimizer.ps1(May 2024 version)C:\Windows\InternalKernelGridC:\Windows\InternalKernelGrid3C:\Windows\InternalKernelGrid4C:\Windows\ShellServiceLogC:\windows\privacyprotectorlogC:\Windows\NvOptimizerLog
By following these steps, you can remove the malware and prevent further damage to your system. However, it is also recommended to install and regularly update a reputable antivirus program to protect against future threats.
This ongoing malware campaign serves as a reminder of the evolving threats in the digital world. By staying vigilant and cautious, especially when downloading software from unfamiliar sources, users can protect their systems from these dangerous trojans. Always verify the authenticity of websites and downloads, and keep your security software up to date to defend against the latest threats.
