A malicious browser extension with 350 variants masquerades as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
Mobile security company Zimperium called the malware family ABCsoup and stated that “extensions are installed on a victim’s computer via a Windows-based executable, bypassing most endpoint protection solutions, along with the security checks found in official extension stores.”
The rogue browser add-ons have the same extension ID as Google Translate’s — “monkeybdbdomjkkjkaonfhkkikfgjllcleb” — in an attempt to trick users into believing that they have installed a legitimate extension.
The extensions are not available in the official browser web stores themselves. Instead, they are delivered via various Windows executable files that install the add-on on the victim’s web browser.
In case the target user has already installed the Google Translate extension, it will replace the original version with the malicious variant due to their higher version numbers (30.2.5 vs. 2.0.10).
“In addition, when this extension is installed, the Chrome Web Store assumes it is Google Translate and not the malicious extension, as the Web Store only checks for extension IDs,” Zimperium researcher Nipun Gupta said†
The main function of ABCsoup is to check Russian social network services such as Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the first and last name, date of birth and gender of the users and forward the data to a remote server.
Zimperium attributed the campaign to a “well-organized group” of Eastern European and Russian descent, with the extensions intended to distinguish Russian users, given the wide variety of local domains.
“This malware is purposefully designed to attack all types of users and to retrieve user information,” Gupta said. “The injected scripts can easily be used to display more malicious behavior in the browser session, such as keystroke mapping and data exfiltration.”