A new Google Chrome extension named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese) is found to specifically target online banking service users in Brazil. The malicious extension is designed to steal user logins and passwords in order to drain victims’ bank accounts. Kaspersky Lab researchers have identified the malicious extension as HEUR:Trojan-Banker.Script.Generic.
The malicious browser extension uses Websocket protocol for communication to exchange messages with the C&C server in real-time, and evade detection by antivirus programs. When the victim visits a Brazilian bank site, the server traffic is redirected to the malicious c&c server thereby allowing the attacker to perform a man-in-the-middle attack.
The extension consists of two JS scripts, namely fundo.js and pages.js.
“The fundo.js script uses the Proxy Auto Configuration technology at the time of the function call implement_pac_script,” researchers explained. “This results in the function FindProxyForURL being replaced with a new one that redirects user traffic to the malicious server, but only when a user visits the web page of a Brazilian bank.”
Meanwhile, data stored by pages.js includes the domain names of several Brazilian banks and the appropriate code the browser should execute when an user visits the a relevant site. Among the various script functions includes one that contacts the server if required to collect one-time passwords for authentication on the bank’s sites.
For example, if a user is visiting a page where logins and passwords are collected, the script clones the “Enter” button and creates a function to click this button. The password is then stored in the cookie files of this function to be sent to C2 before the real button, which is overlaid and hidden, is clicked. Essentially, the password is not only sent to the online banking system but to the malicious server as well.
“Browser extensions designed to steal logins and passwords are quite rare,” researchers said. “However, they need to be taken seriously given the potential damage they could cause. We recommend that users only install verified extensions with large numbers of installations and reviews in Chrome Web Store or another official service. In spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published in them – we’ve covered one such case.
Google has since removed the malicious extension from its Chrome Web Store.