Skip to main content

CSA will never ask you to transfer money or disclose banking details. Stay vigilant.

If unsure, call the 24/7 ScamShield Helpline at 1799 to check. www.scamshield.gov.sg

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Ongoing Malware Campaign Targeting Google Chrome and Microsoft Edge Browser Users
Alerts

Ongoing Malware Campaign Targeting Google Chrome and Microsoft Edge Browser Users

16 August 2024

There are reports of an ongoing malware campaign targeting Google Chrome and Microsoft Edge browser users. The campaign leverages malvertising on Google Search to redirect users to fake websites masquerading popular software such as YouTube, Roblox FPS Unlocker and KeePass. These fraudulent sites trick users into downloading a malware by impersonating legitimate software that subsequently installs malicious browser extensions.

After the malware is downloaded and executed, it establishes persistence by scheduling a task to execute a PowerShell script. This script then downloads and executes a payload on the affected device, which modifies the Windows Registry to install malicious extensions on Google Chrome and Microsoft Edge browsers.

These malicious extensions are difficult to remove, even with Developer mode enabled, and may allow the attacker to change the user's homepage, hijack search queries and redirect them to malicious websites. Additionally, the attacker could steal the user's browsing history, login credentials, and other sensitive information, monitor the user's online activity and perform remote code execution attacks via their command and control servers. 

These malicious browser extensions and installers may evade detection by most antivirus software. Additionally, the PowerShell script can disable the browser's automatic update function upon startup, preventing Google Chrome's built-in security features from updating automatically and allowing the malware to remain undetected.

Google Chrome and Microsoft Edge browser users are advised to verify whether they have fallen victim to the malware campaign by checking for any indicators of compromise (IOCs) associated with this threat. For the list of IOCs, please refer to the following link.

If users discover any of the IOCs on their devices, they are advised to remove the malware and the persistence mechanisms associated with it by deleting the malicious scheduled tasks, registry keys, and the malware itself from their device. The steps can be found here.

Users are encouraged to be vigilant when downloading software from the internet. By practicing safe browsing habits and staying informed of the latest cyber threats such as malvertising, users can reduce their vulnerability to these threats and ensure a safer online experience for themselves.

More information is available here:

https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/?fbclid=IwY2xjawEqQWlleHRuA2FlbQIxMQABHZ6AncCX1_x_fovhEIB0KXuzCk-_OhZN1ny8QkiZEqJHAjKxO9ov2Be2fw_aem_4-aeusCe1mABzSmCqBkMAw

https://thehackernews.com/2024/08/new-malware-hits-300000-users-with.html

Back to top