Malicious Chrome Extension  - Chrome Extension Mitm - Malicious Chrome Extension Launch MitM Attack to steal Money from Bank

Newly Discovered performing Man-in-the-Middle to harvest users log in and password to from Victims Accounts.

Recently an analysis of suspicious extensions from Chrome Web Store, an extension called Desbloquear Conteúdo(‘Unblock Content’ in Portuguese) has been discovered.

The malicious Extension specifically targets users of Brazilian online banking services and fraudulent attempt primarily discovered in Brazil.

This malicious chrome extension predominantly targeting online banking service and compromised users using various techniques.

During the Man-in-the-Middle attack, attacker re-directs a victim’s web traffic into a spoof page by modifying DNS settings.

In this case, The victim believes they are connected to their bank’s website and victims can’t realize anything suspicious, but the traffic is re-directed through the attacker’s site that allows the attacker to gather any personal data such as password, PIN, username while entered by the victim.

How Does This Malicious Chrome Extension Works

Malicious chrome extension using obfustication technique to evade the antivirus detection but its source code didn’t obfuscate.

It uses WebSocket protocol for data communication to make it more private and the C&C server will act as a proxy server.

During the Man-in-the-Middle attack, whenever victims visiting the Brazilian bank website, malicious extension redirects the traffic into attacker server.

Desbloquear Conteúdo Extension contains 2 Javascript fundo.js, pages.js to perform two difference operation to control the vicitms.

fundo.js initially start establishing the web socket connection using the function called function websocket_init().

- 180605 mitm extension chrome 3 - Malicious Chrome Extension Launch MitM Attack to steal Money from Bank

Later it downloads the data from the server and stored it in chrome. storage later it contacting the Command & Control server to receive the IP address where the user traffic will be redirected.

According to Kaspersky, It’s worth mentioning here the Proxy Auto Configuration technology. Modern browsers use a special file written in JavaScript which has just one function: FindProxyForURL. With this function, the browser defines which proxy server to use to establish a connection to various domains.

Another pages.js downloads the some of the scripts from the domain ganalytics[.]ga and launches them on the banks’ sites.

A script called cef.js add specific HTML code to the main page of the online banking system and the connected server needed to collect the one-time passwords used for authentication on the bank’s site.

- 2 2 - Malicious Chrome Extension Launch MitM Attack to steal Money from Bank

Once the user accessing the bank login page, , the script creates a clone of the ‘Enter’ button with a click this button Function which is overlaid and eventually victims will click the button.

Finally, the password to the user’s account is sent to the online banking system as well as to the malicious server.

Source link


Please enter your comment!
Please enter your name here