A widespread campaign featuring a malicious installer that saddles users with difficult-to-remove malicious Chrome and Edge browser extensions has been spotted by researchers.
“The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands,” the Reason Labs research team says.
“We have witnessed a very wide distribution of the malware and extensions – in total at least 300,000 users across Google Chrome and Microsoft Edge have been affected.”
The infection
The threat actors behind this campaign have set up spoofed websites offering popular software such as VLC or KeePass for download, but the downloaded installer does not even attempt to install the program the user wanted.
Instead, once run, the program registers a scheduled task that downloads a PowerShell script, and that script downloads a payload from a remote server and executes it in memory.
The script adds registry keys to force the installation of extensions from the Chrome Web Store and Edge Add-ons page, and they cannot be disabled by users because they don’t show up on the browser’s extensions management page – even if developer mode is activated.
“The script proceeds to disable all updates of the browsers because during each update the default settings are restored and this would interfere with the activity of the malware,” the researchers noted.
The script also downloads a local extension (“Google Updater”) that hijacks the browser’s default search (Bing or Google) and redirects it to the adversary’s search portal.
How to remove the malware and malicious extensions?
“At the time of writing, most AV engines do not detect the installer and the extensions,” the research team says. “The installer is signed by Tommy Tech LTD. Other installers signed by the same signer have been around since 2021.”
The malicious Chrome extensions usually have “Search” in their name (e.g., “Custom Search Bar”, “Your Search Bar”, etc.). The Edge extensions have either “Search” or “Tab” in their name (e.g.,”Simple New Tab”, “NewTab Wonders”, “EXYZ Search”, etc.). Most of them have now been removed by Google and Microsoft from their respective stores.
The malicious Simple New Tab extension in the store (Source: Reason Labs)
The researchers estimate that at least 300,000 users of the two browsers have been affected, and some have been complaining online that they cannot find a way to remove the malicious extensions.
The researchers have shared an extensive list of indicators of compromise and have outlined the process for removing the threat.
“The only way to successfully remove this malware is to make sure that it’s persistence mechanisms are gone,” they noted, which means removing the scheduled task, the registry keys, and deleting malware files.