The extension turned out to be a banker that, according to experts, was used in attacks on customers of multiple Brazilian banks.
In late April 2018, Kaspersky detected an extension for Google Chrome named Desbloquear Conteúdo (“Unblock content” in Portuguese) that was communicating with a suspicious domain zone typically used by cybercriminals. The extension turned out to be a banker that, according to experts, was used in attacks on customers of multiple Brazilian banks.
A banker is a type of malware that aims to steal user credentials – such as logins, passwords, and one-time identification numbers in order to steal money from victims. They are fairly popular among malicious users. However, it is not common for them to come under the guise of a browser extension. Due to technical reasons, it is much easier for criminals to develop adware extensions instead.
When met, the malicious banker extensions tend to use different techniques to impede detection by security solutions. Thanks to the WebSocket protocol, the authors behind Desbloquear Conteudo were able to establish real-time communication with the control server. The extension then redirected user traffic to the C&C, which acts like a proxy server, when the victim visited the web pages of Brazilian banks. The malicious code then copied the “Log in” button so that when the user entered their credentials, they were passed not only to the online-banking systems but also to the cybercriminals’ server. It, in fact, carried out a discreet Man-in-the-Middle attack.
“Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions. But given the possible damage that they can cause, it is worth taking them seriously. We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them,” Vyacheslav Bogdanov, the author of the research said.
Furthermore, Kaspersky claims its products can successfully detect and block the extension with the verdict HEUR: Trojan-Banker.Script.Generic. In addition, the Safe Money feature in the flagship home security solutions of Kaspersky Lab, suggests opening websites in a safe mode (Protected Browser) when users try to enter their personal details into a payment system or any online banking system, to avoid any malicious penetration into the process. The malicious extension has been removed from the Chrome Web Store after the research.