Malvertising Campaign Transmits Nasty Chrome Extensions and Backdoors
Table of Contents
- By David Lukic
- Published: Dec 20, 2021
- Last Updated: Mar 18, 2022
Several malvertising campaigns are tricking people into downloading damaging Google Chrome extensions and backdoors. This covert digital attack aims to steal user credentials and valuable data and sell them to identity thieves.
About the Attack
The malverstising campaigns are using fake installers in the apps and games to convince users it is safe to download extensions and backdoors. The primary extension is an undocumented Google Chrome extension.
The digital attack uses everything from NoxPlayer to WeChat, Battlefield, and Viper to trick targets into seemingly harmless downloads. The users’ systems are then compromised. This digital attack is complex to the point that it provides ongoing remote access to activity and data.
Who is Responsible for the Malvertising?
The identity of the party behind the malware payloads is not yet known. However, Cisco Talos states the hacker operates under the alias of “magnat.” Magnat is enhancing the malvertising campaigns as time progresses, making the threat all the more dangerous with each passing day.
When did the Attacks Start?
Who is Being Targeted?
How Does the Attack Occur?
Links are presented on search engine results pages, encouraging searchers to download installers that implement a password-stealing program dubbed RedLine Stealer. The malvertising also includes an extension referred to as the MagnatExtension. This extension records user keystrokes. The extension also captures screenshots of users’ activities while using computing devices.
The malvertising attack even includes a backdoor to provide the hacker with remote access to the user’s computing device. Users are deceived into assuming the MagnatExtension is Google’s Safe browsing. MagnatExtension is complex to the point that it even transmits packs with specialized features for stealing form data, executing JavaScript code, and harvesting cookies.