After noticing a browser extension communicating with a suspicious domain, researchers analyzed the Google Chrome extension named Desbloquear Conteudo (unblock content) and found that it was a rare banker malware.
The extension, identified as HEUR:Trojan-Banker.Script.Generic has been removed from Chrome Web Store. According to Vyacheslav Bogdanov, researcher, Kaspersky Lab the man-in-the-middle (MitM) extension for Chrome was targeting users of Brazilian online banking services with the goal of collecting user logins and passwords in order to pilfer their savings.
MitM attacks redirect the victim’s web traffic to a spoof website. While the target is under the impression they are connected to a legitimate site, the flow of traffic to and from the real bank site is actually being redirected through an attacker's site so that the criminal can harvest the personal data they are after.
What's interesting about this particular extension is that the developers made no effort to obfuscate its source code. Instead, they opted for a MitM attack using "the WebSocket protocol for data communication, making it possible to exchange messages with the C&C [command-and-control] server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank."
This particular extension used the Proxy Auto Configuration technology, which enabled additional functions beyond the one written in JavaScript for most modern browsers. The FindProxyForUrl function was replaced with a new task that redirected traffic from the Brazilian bank to the malicious server. Attackers added malicious code to the webpage using cef.js script in order to intercept the user’s one-time password.
Because the malware was targeting Brazilian users, Bogdanov suggested that the browser extension had the additional function of adding cryptocurrency mining scripts to the banking sites users visited.
“Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously. We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them,” Bogdanov said.