A malicious Google Chrome extension is targeting users in Latin America, particularly Brazil, exfiltrating the victims’ sensitive accounts and financial details.
This extension is even more dangerous because it utilises the Chrome API to gather POST requests that usually contain account and financial information before being secured by the TCP connection.
Researchers from Trend Micro have named this extension ‘ParaSiteSnatcher’. The extension gathered data from Banco do Brasil and Caixa Exonomica Federal website URLs. Moreover, the extension can manipulate transactions in the Brazilian PIX instant payment ecosystem and payments made through Boleto Bancario.
Furthermore, the extension can exfiltrate Brazilian Tax ID numbers for individuals and businesses, alongwith cookies, including those of Microsoft accounts.
ParaSiteSnatcher does work best on Google Chrome. But it can also work on other Chromium-based browsers like Edge, Brave and Opera. Thus, the target victim list can be huge. For Firefox and Safari, changes in the browser namespace can make this extension compatible with those browsers.
The malware gains access to the systems through a VBScript hosted on Dropbox and Google Cloud, with researchers identifying three variants of the downloader, each varying in levels of obfuscation and complexity.
Upon gaining access to the system, the malware connects with the threat actor’s command and control server (C&C), retrieving an obfuscated list of URLs. The extension then de-obfuscates these URLs to download additional malicious modules, masquerading as Google Chrome extensions.
ParaSiteSnatcher is equipped with extensive permissions, allowing it to manipulate web sessions, requests and track user interactions across multiple tabs using Chrome tabs API. The malware includes components that facilitate code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication.
To ensure persistence on infected systems, ParaSiteSnatcher creates a Google Chrome shortcut on the desktop configured to launch the browser with custom startup parameters, initiating the malicious extension on every Chrome startup.
The extension’s communication mechanism relies on the Chrome sendMessgeAPI, enabling it to communicate with various components when specific conditions are met. The extension executes internal functions based on received messages, directly sending processed data to the attacker’s command and control server or updating commands from the threat actor.