A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as a part of an adware marketing campaign focusing on Russian customers of Google Chrome, Opera, and Mozilla Firefox browsers.
Cellular safety agency Zimperium dubbed the malware household ABCsoup, stating the “extensions are put in onto a sufferer’s machine through a Home windows-based executable, bypassing most endpoint safety options, together with the safety controls discovered within the official extension shops.”
The rogue browser add-ons include the identical extension ID as that of Google Translate — “aapbdbdomjkkjkaonfhkkikfgjllcleb” — in an try and trick customers into believing that they’ve put in a authentic extension.
The extensions aren’t obtainable on the official browser internet shops themselves. Slightly they’re delivered by totally different Home windows executables that set up the add-on on the sufferer’s internet browser.
Within the occasion the focused consumer already has the Google Translate extension put in, it replaces the unique model with the malicious variant owing to their larger model numbers (30.2.5 vs. 2.0.10).
“Moreover, when this extension is put in, Chrome Internet Retailer assumes that it’s Google Translate and never the malicious extension for the reason that Internet Retailer solely checks for extension IDs,” Zimperium researcher Nipun Gupta mentioned.
All of the noticed variants of the extension are geared in the direction of serving pop-ups, harvesting private data to ship target-specific advertisements, fingerprinting searches, and injecting malicious JavaScript that may additional act as a spy ware to seize keystrokes and monitor internet browser exercise.
The primary perform of ABCsoup entails checking for Russian social networking providers like Odnoklassniki and VK among the many present web sites opened within the browser, and if that’s the case, collect the customers’ first and final names, dates of beginning, and gender, and transmit the information to a distant server.
Not solely does the malware use this data to serve personalised advertisements, the extension additionally comes with capabilities to inject customized JavaScript code primarily based on the web sites opened. This consists of YouTube, Fb, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly’s Znanija, Kismia, and rollApp, suggesting a heavy Russia focus.
Zimperium attributed the marketing campaign to a “well-organized group” of Jap European and Russian origin, with the extensions designed to single out Russian customers given the wide range of native domains featured.
“This malware is purposefully designed to focus on all types of customers and serves its objective of retrieving consumer data,” Gupta mentioned. “The injected scripts could be simply used to serve extra malicious conduct into the browser session, similar to keystroke mapping and information exfiltration.”
