At the end of 2018, a malware that installed malicious browser extensions was discovered by experts. It used to block updates and security checks on browsers to install extensions.
Known as ‘Razy’, the trojan has now evolved into a much more dangerous entity. In its blog post, antivirus company Kaspersky Lab elaborated how Razy’s new features focus on stealing cryptocurrency from victims.
Aside from replacing cryptocurrency wallet addresses with that of the attacker’s, Razy spoofs search results from Google and Yandex. Furthermore, it spoofs QR codes of genuine wallet addresses as well as modifies cryptocurrency trading websites.
The aftermath of infection
According to a blog by the antivirus company, Razy initiates a man-in-the-browser (MITB) attack and tamper websites. “The whole scenario is a classic example of a man-in-the-browser attack. The malicious extensions alter website content as their creators desire. In the case of Razy, cryptocurrency owners have the most to fear.
The extension targets cryptocurrency exchanges' sites, adorning them with banners displaying “lucrative” offers to buy or sell cryptocurrency — but users who swallow the bait end up enriching the cybercriminals, not themselves.” explains the post.
To perform this, the trojan adds many malicious scripts to the browsers on top of other main scripts such as bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js so that the web page can be entirely manipulated.
In fact, even Wikipedia is targeted. The main page of the site displays a message asking users to donate to their cryptocurrency wallet addresses. It has also come to notice that Razy mainly targets Bitcoin and Ethereum wallet owners.
Publisher