Spyware chrome extension campaign targeting on Brazil


SonicWall has been observing a campaign targeting Brazil, which involves a malicious PDF file. The attack begins when a user receives a malicious PDF file as an attachment with legitimate looking email.

Scripts are now very prominently being used by the attackers to deliver the final payload. In this particular campaign as well we see, script has been used in stages to deliver the payload which is a Spyware.

The spyware is installed into the victim’s system as a Google Chrome extension. Following image depicts the infection cycle:

Fig 1. Malware infection cycle

At the time of analysis, the malicious PDF file is not detected by any of the AV vendors which indicates the effectiveness of RTDMI engine.

Fig 2. The PDF file detection in VirusTotal.

The malicious PDF file tries to lure the victim to download the next stage malicious file with text pretending to be an image file. To go unnoticed, a short URL “hxxp://bit.ly/2XfBhuA” which expands to  hxxps://www.dropbox.com/s/dl/5nepym179xr7ehz/Fotos%20L-nn-2002-0711.vbs.zip”, has been used in the PDF file as shown below:

Fig 3. Crafted PDF content.

On clicking the image, an archive file is downloaded into the victim’s system from the Google dropbox.

The downloaded archive contains a VBS script file, which when executed, connects to a C&C server (hxxp://desenvolveangar.info /?tgow=shuran&). The C&C server has put in a mechanism to identify whether a request is from a bot or an automated system. If a specific pattern is found in the HTTP request header “USER-AGENT: COOLDOWN”  and the data “Z”, then only the next stage malicious file (encoded to evade detection) is sent otherwise the request is served with an image file as shown below:

Fig 4. Malware using specific User-Agent and data

The below code snippet depicts how the reverse formatted script is decoded and executed: 

Analysis of the downloaded VBS script

The VBS script uses multiple components on the victims system to achieve its goal.

To avoid reinfection, the VBS script first checks, presence of a “125x” file in the “%UserProfile%” directory. Execution of the script is terminated, if the file is present. Otherwise, a file with the same name is created in the “%UserProfile%” directory and 6 Bytes data is written into the file as shown below:

Fig 5. “125x” file content

The script extensively uses sleep method, which could make the available sandboxing and emulation technologies futile. It uses Windows Management Instrumentation (WMI) framework to collect victim’s system information as shown in the table below:

Table 1. WMI queries and Objects used by the script

At present, it appears the malware has been written to target users from a specific country. This could be deduced from the fact that the stolen data is sent back to the C&C server if the Victim is from “Brazil”. Victim’s country is verified by checking the Country Code (“55” for Brazil).Table 1. WMI queries and Objects used by the script

Fig 6. System information sent to the C&C server

A batch script is then dropped in the filesystem and executed, which first deletes existing Google Chrome shortcuts and then creates malformed Google Chrome shortcuts to launch the malicious VBS script.

The batch script lowers the Web browser security by modifying the Internet Site zone settings. To remove traces of infection from the system, the script later deletes itself.

Code Snippet:

The malware now checks, presence of a file named “utg.zip” in the “%UserProfile%” directory. This archive file contains Chrome extension. To ensure updated Chrome extension is present on the victim’s system, it first deletes and later downloads the archive from the C&C server.

The malware continues with its data collection and other activities. It collects data like system’s manufacturer, model, network adapter configuration caption and description, which is later sent to the C&C Server as shown below:

Fig 7. C&C sends URL to download chrome extension

The malware receives command to stop execution by the C&C server, if it is running inside virtual environment. It achieves this by sending “bit” word in the response data. Otherwise, a final payload URL is sent back to the victim.

The malware uses a VBS code snippet from “hxxp://pastebin.com/raw/kXaRaqSu” to download the final payload which is an archive containing Chrome extension as shown below:

Fig 8. Code snippet from Pastebin.com

The malware checks presence of “%UserProfile%\Chrome\1.9.6\6.js” file inside the archive and notifies the C&C server if the file is found as shown below:

Fig 9. Archive contents (Chrome Extension)

A JSON based manifest file “manifest.json” which contains metadata about the extension is then modified by the malware as shown below:

Fig 10. Original and modified manifest.json file

Extension detail information

  • Manifest.json file

This manifest file contains metadata information regarding extension. Important fields of this manifest file are described below.

Table 2. Manifest.json file

  • JS file hash

Table 3. JS file names and there hash

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

Fig 11. Capture ATP report snapshot


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.