Cybersecurity researchers have detected a new malicious campaign that hijacks web browsers to steal sensitive data.
A ReasonLabs report described how the campaign has so far affected around 300,000 Google Chrome and Microsoft Edge users by creating websites offering fake software for free, including Roblox FPS Unlocker, YouTube, VLC media player, Steam or KeePass.
Victims who navigate to these websites and download the fake software get Trojan malware that has been around since 2021. The malware installs add-ons and extensions that hijack search engines and more.
Flight of functions
“The Trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands,” the researchers explained. “This Trojan malware, which has been around since 2021, originates from imitations of download websites with add-ons for online games and videos.”
In some cases, the extensions change the browser's default search engine to something else, likely so that threat actors can profit from serving ads or so they can deploy more harmful malware. The researchers also added that removing the add-ons is a bit tricky.
“The extension cannot be disabled by the user, even with developer mode enabled,” ReasonLabs said. “Newer versions of the script remove browser updates.”
To remove the malware, users must delete the scheduled tasks that reactivate the malware, delete the registry entries, and delete these files and folders. Hacker News information:
C:Windowssystem32Privacy Blockerwindows.ps1
C:Windowssystem32Windowsupdater1.ps1
C:Windowssystem32WindowsUpdater1Script.ps1
C:Windowssystem32Optimizerwindows.ps1
C:Windowssystem32Printworkflowservice.ps1
C:Windowssystem32NvWinSearchOptimizer.ps1 – version 2024
C:Windowssystem32kondserp_optimizer.ps1 – May 2024 Release
C:WindowsKernel Internal Grid
C:WindowsInternalKernelGrid3
C:WindowsInternalKernelGrid4
C:WindowsShellServiceLog
C:windowsprivacyprotectorlog
C:WindowsNvOptimizerLog