Chrome malicious extensions can monitor users' online behavior
Recently, researchers from security company Malwarebytes have investigated a malicious Chrome extension.
Malware infected users
This malicious Chrome extension monitors users' online behavior habits, automatically displays pop-up windows, and interferes with normal internet access. At the same time, security company Malwarebytes researchers found that the malicious program activity will force users to install Chrome extensions containing malicious programs. First, malicious attackers will first create a website. Unfortunately, users who visit this website will receive continuous pop-up windows to recommend users to install malicious extensions. If you choose to disable the feature, the system will continue to jump out of another feature. In short, a pop-up window appears one after another. If you move the mouse over the browser or click the close button, a larger dialog box appears and appears at the top, the background of the website will also play a very noisy sound.
A malicious program named eFast Browser appeared earlier. The malicious program is disguised as an extension package embedded in a Browser, and is directly transformed into a Browser hijacking system file association, it allows users to fall into the trap without knowing it.
The report of Malwarebytes pointed out that, once the malicious program is successfully installed, eFast Browser will try to delete Chrome and replace it, associated system files such as htm/html, pdf, jpg, webp, and xht are hijacked, and network transmission protocols such as ftp, http/https, nntp, sms, and webcal are also hijacked. In addition, it is worth noting that eFast Browser is developed based on the Chromium open source program. Therefore, Browser icons, interfaces, and functions are very similar to Chrome, it looks like other regular browsers developed under the Chromium open-source program. users who are unfamiliar with the browser are easy to confuse and cannot notice that the Chrome browser has been replaced.
Currently, the impact scope is small.
The security team of Malwarebytes shared the demonstration of this malicious extension (see the following figure). Chrome will receive a red warning after redirection before the user browses a website where any malicious software is recommended to be installed. After you access your website, you are forced to install an extension named "iClac", which was launched in Google Web Store. Once the extension is installed, it does not have a calculator function like a name, but the researchers found that ic1c secretly sets up a proxy to redirect all browser traffic through a remote server.
Malwarebytes has reported the extension to Google. Currently, there are no more than 1000 installations. users who do not know how to close the Chrome process through the Task Manager may bypass the trap designed by the attacker. At present, Google has removed the application, and the author of the malicious program activity has begun to push another malicious extension program, but this time, the affected regions are limited to Russian users.