Zimperium researchers have identified an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. The campaign employs more than 350 versions of malicious browser extensions using the Google Translate extension ID to fool victims into downloading the malicious files.
"The extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores," researchers explained.
The malicious browser add-ons come with an identical extension ID as that of Google Translate to trick users into believing that they have installed a legitimate extension. However, the extensions are not available on the official browser web stores.
The hackers deliver them via multiple Windows executables that install the add-on on the victim's web browser. If the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10).
"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta stated.
According to Zimperium, the malicious extensions are geared towards serving pop-ups, siphoning private details to deploy target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as spyware to capture keystrokes and monitor web browser activity.
The primary motive of this malicious campaign is to scan for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the victims' first and last names, dates of birth, gender, and transfer the data to a remote server.
The malicious extension does not utilize the stolen details to serve personalized ads but also has the capability to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, indicating a heavy Russia focus.
The researchers attributed the campaign to the threat actors based in Russia or Eastern Europe. The extensions were created to single out Russian users given the wide range of local domains featured.
"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."
