Security News > 2021 > December > New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions

A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access.

A noteworthy aspect of the intrusions is the use of malvertising as a means to strike individuals who are looking for popular software on search engines to present them links to download fake installers that drop a password stealer called RedLine Stealer, a Chrome extension dubbed "MagnatExtension" that's programmed to record keystrokes and capture screenshots, and an AutoIt-based backdoor that establishes remote access to the machine.

MagnatExtension, which masquerades as Google's Safe browsing, also packs other features that are of use to the attackers, including the ability to steal form data, harvest cookies, and execute arbitrary JavaScript code.

The extension's command-and-control communications stand out as well.

"Based on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that the attacker's goals are to obtain user credentials, possibly for sale or for his own use in further exploitation," Cisco Talos researcher Tiago Pereira said.

"The motive for the deployment of an RDP backdoor is unclear. The most likely are the sale of RDP access, the use of RDP to work around online service security features based on IP address or other endpoint installed tools or the use of RDP for further exploitation on systems that appear interesting to the attacker."

News URL

https://thehackernews.com/2021/12/new-malvertising-campaigns-spreading.html