The extension installer switches off browser notifications. The file, named Preferences, is in JSON format and contains individual user settings. The extension installer first modifies the files Preferences and Secure Preferences in the Chromium-based browser‘s User Data directory. Malicious Chrome browser extensions are usually packaged this way. After decrypting and unpacking, we noticed a resource directory named CRX containing a 7-Zip archive. This component uses the same cryptor described in previous posts in the first stage, followed by the second stage wherein the decrypted DLL is Ultimate Packer Executables-(UPX) packed. This bundle is compressed into a password-protected archive and has been distributed in the wild since July. The component is usually distributed in one dropper together with a browser stealer and bundled with other unrelated pieces of malware. Similar to previous routines, this new component is spread via fake crack (also known as warez) websites. These API keys allow the extension to perform transactions and send cryptocurrencies from victims’ wallets to the attackers’ wallets. Tracking the cybercriminal group’s latest activities, we found a malicious browser extension capable of creating and stealing API keys from infected machines when the victim is logged in to a major cryptocurrency exchange website. We published our analyses on CopperStealer distributing malware by abusing various components such as browser stealer, adware browser extension, or remote desktop. Author not answer for any illigal using software.Update ( 2:05AM EST): We have updated the list of IOCs and detections.
Simple password/cookies/history/bookmarks stealer/dumper for chrome all version (includes 80+), microsoft edge browser,includes all chromium based browsers, and all gecko based browser (firefox etc.). (Chrome - all chromium based and Firefox - all gecko based) BrowserStealer (Chrome / Firefox / Microsoft Edge)
0 kommentar(er)
