Experts discover 350 variants of browser extensions used in ABCsoup adware campaign

0
34

A malicious browser extension with 350 variants masquerades as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

Mobile security company Zimperium called the malware family ABCsoup and stated that “extensions are installed on a victim’s computer via a Windows-based executable, bypassing most endpoint protection solutions, along with the security checks found in official extension stores.”

The rogue browser add-ons have the same extension ID as Google Translate’s — “monkeybdbdomjkkjkaonfhkkikfgjllcleb” — in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available in the official browser web stores themselves. Instead, they are delivered via various Windows executable files that install the add-on on the victim’s web browser.

In case the target user has already installed the Google Translate extension, it will replace the original version with the malicious variant due to their higher version numbers (30.2.5 vs. 2.0.10).

“In addition, when this extension is installed, the Chrome Web Store assumes it is Google Translate and not the malicious extension, as the Web Store only checks for extension IDs,” Zimperium researcher Nipun Gupta said

All observed variants of the extension focus on displaying pop-ups, collecting personal information to deliver targeted advertisements, fingerprinting search queries and injecting malicious JavaScript that can further act as spyware to record keystrokes and activity of the web browser.

The main function of ABCsoup is to check Russian social network services such as Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the first and last name, date of birth and gender of the users and forward the data to a remote server.

Not only does the malware use this information to display personalized ads, the extension also provides capabilities to inject custom JavaScript code based on the opened websites. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly’s Znanija, Kismia and rollApp, indicating a strong focus on Russia.

Zimperium attributed the campaign to a “well-organized group” of Eastern European and Russian descent, with the extensions intended to distinguish Russian users, given the wide variety of local domains.

“This malware is purposefully designed to attack all types of users and to retrieve user information,” Gupta said. “The injected scripts can easily be used to display more malicious behavior in the browser session, such as keystroke mapping and data exfiltration.”