Thousands of Google Chrome browsers are at risk from this malicious attack
Cybersecurity researchers have discovered a new malicious campaign that hijacks web browsers to steal sensitive data.
A report by ReasonLabs found that the campaign has so far reached around 300,000 Google Chrome and Microsoft Edge users by creating websites offering free fake software such as Roblox FPS Unlocker, YouTube, VLC Media Player, Steam, and KeePass.
Victims who navigate to these websites and download the fake software are instead presented with a trojan malware that has been around since 2021. The malware installs add-ons and extensions that hijack search engines, and more.
Functional flight
“The trojan malware contains various deliverables, ranging from simple adware extensions that hijack searches to more advanced malicious scripts that deliver local extensions to steal private data and execute various commands,” the researchers explained. “This trojan malware, which has been around since 2021, originates from impersonations of download websites that offer add-ons for online games and videos.”
In some cases, the extensions change the browser’s default search engine to another one, likely to benefit threat actors by displaying ads, or to spread more malicious malware. The researchers also added that removing the add-ons is a bit tricky.
“The extension cannot be disabled by the user, even with developer mode ‘ON’,” ReasonLabs said. “Newer versions of the script will remove browser updates.”
To remove the malware, users need to delete scheduled tasks that reactivate the malware, remove registry entries, and delete these files and folders. The Hacker News reports:
C:\Windows\system32\Privacyblockerwindows.ps1
C:\Windows\system32\Windowsupdater1.ps1
C:\Windows\system32\WindowsUpdater1Script.ps1
C:\Windows\system32\Optimizerwindows.ps1
C:\Windows\system32\Printworkflowservice.ps1
C:\Windows\system32\NvWinSearchOptimizer.ps1 – version 2024
C:\Windows\system32\kondserp_optimizer.ps1 – version May 2024
C:\Windows\InternalKernelGrid
C:\Windows\InternalKernelGrid3
C:\Windows\InternalKernelGrid4
C:\Windows\ShellServiceLog
C:\windows\privacyprotectorlog
C:\Windows\NvOptimizerLog
