This Trojan infects extensions from the Chrome browser, spoofs cryptocurrency searches

Trojan Infects

Malware also handles browser updates and checks for integrity. The Razy Trojan targets legitimate browser extensions and attempts to raid cryptocurrency wallets and steal virtual coins from victims by spoofing search results.

According to new research published by Kaspersky Lab, malware, known as Razy, is a trojan that uses some of the unusual techniques recorded during system infection.

Detected as Trojan

Win32.Razy.gen by the cybersecurity company, Razy is an executable file that spreads malware on websites and is also packaged and distributed on file hosting services while masquerading as legitimate software.

The malware’s main thrust is the ability to steal cryptocurrency. Razy focuses on browsers that compromise, such as Google Chrome, Mozilla Firefox and Yandex.

Depending on the type of browser found on an infected system, different infection vectors are in place. Razy has malicious browser extensions that are nothing new. However, the Trojan can also infect legitimate extensions already installed by deactivating integrity checks for extensions and automatic browser updates.

For Google Chrome, Razy edits the chrome.dll file to disable integrity checks for the extension and then renames it to break the standard path. Registry keys are created to disable updates to your browser. “We’ve seen cases where various Chrome extensions have been infected, “the researchers say. ”

One extension should be mentioned in particular: Chrome Media Router is a service component with the same name in Chromium-based browsers. It is present on all devices where the Chrome browser is installed, although it is not displayed in the list of installed extensions.

“A malicious extension called “Firefox Protection “is installed to compromise Firefox. The Trojan will also disable integrity checks, rename the browser.dll file and create registry keys to prevent browser updates when it comes to Yandex. You will download and install a malicious extension called Yandex Protect.

The majority of malware functions are served by a single.js script that allows malware to search for cryptocurrency wallet addresses, replace these addresses with other addresses controlled by threatening actors, spoil both images and QR codes pointing to wallets, and modify cryptocurrency exchange web pages. Razy can also spoof search results for Google and Yandex on infected browsers that could lead to victims visiting malicious web pages unwittingly.

The Trojan often interferes with cryptocurrency results in an attempt to attract users to hand over their credentials, for example by promoting new services or selling coins that require the user to log in if they want to participate.

A number of additional scripts are downloaded in all three browser cases. Two scripts, firebase-app.js and firebase-messaging.js, are legitimate collectors of statistics, while two others, bgs.js and extab.js, are malicious, obscure scripts that modify web pages and allow for the insertion of malicious ads. At the time of writing, a total of six wallets associated with this campaign contain 0.14 BTC and three wallets containing approximately 25 ETH. In related news, researchers from the University of Illinois at Urbana-Champaign demonstrated security vulnerabilities that affect a total of 26 low-end cryptocurrencies earlier this week.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.