Malware Campaign Affecting Microsoft & Google | Neuways – Technologist
A recent analysis by cybersecurity firm ReasonLabs has exposed a major ongoing malware campaign that targets Google Chrome and Microsoft Edge users. This attack has compromised more than 300,000 systems globally, installing malicious browser extensions and modifying critical browser files on Windows systems.
New malware campaign affecting Microsoft and Google Browsers – what is involved?
The cyberattack allows criminals to steal sensitive data, alter search results, and potentially execute harmful commands. This malware campaign that is affecting Microsoft and Google browsers has caused considerable pain to a number of businesses already.
Researchers discovered that the campaign starts with deceptive online ads, or “malvertising,” which trick users into downloading seemingly legitimate software like Roblox FPS Unlocker, VLC video player, TikTok Video Downloader, YouTube downloader, KeePass password manager, and Dolphin Emulator. These installers, signed by “Tommy Tech LTD,” act as Trojan horses, secretly executing malicious PowerShell scripts.
What do the dangerous scripts do?
These scripts serve two main purposes: to force-install harmful Chrome and Edge extensions and to modify essential browser DLL files. The installed extensions, disguised as legitimate search tools, hijack user searches and redirect traffic to the attackers’ servers, enabling data collection and profit generation.
To maintain persistence, the malware sets up scheduled tasks on infected systems, allowing it to reinstate itself even after attempts to remove it. Additionally, it alters browser shortcuts and disables automatic updates, making it harder for users to detect and eliminate the cyber threat.
How does the cyber attack work?
The most concerning aspect is the modification of browser DLL files, giving attackers direct control over browser behaviour. This enables them to override default search engines, manipulate search results, and potentially execute arbitrary code.
The report has identified several Chrome and Edge extensions linked to the campaign, including:
Google Chrome:
- Micro Search Chrome Extension (removed from store)
- Active Search Bar (removed from store)
- Your Search Bar (removed from store)
- Safe Search Eng (removed from store)
- Lax Search (removed from store)
- Custom Search Bar
- yglSearch
- Qcom search bar
- Qtr Search
Microsoft Edge:
- Simple New Tab (removed from store)
- Cleaner New Tab (removed from store)
- NewTab Wonders (removed from store)
- SearchNukes (removed from store)
- EXYZ Search (removed from store)
- Wonders Tab (removed from store)
Who has been alerted to the cyber attack?
Despite the widespread impact, many antivirus programs have not yet detected the threat. The company behind the report has alerted both Google and Microsoft and continues to monitor the situation. Some of the malicious extensions remain available on the Chrome Web Store, though all identified extensions have been removed from the Edge Add-ons store.
What next?
To reduce the risk of infection, it is always advised that users be cautious when downloading software, keep antivirus programs up to date, and avoid suspicious browser extensions. If you suspect your system is compromised, immediate action should be taken to remove the malware. Should you continue to be concerned, we would also advise that you speak to your MSP or cyber security provider.