Researchers at Kaspersky Lab have disclosed information about a relatively new malware that attacks browsers in the search of cryptocurrency. The research is written about in a Kaspersky SecureList post by co-authors Victoria Vlasova and Vyacheslav Bogdanov. Entitled “Razy” after a file that was identified as Trojan.Win32.Razy.gen, the malware spoofs search results and, as alluded to earlier, attacks browser extensions.
According to researchers, Razy has a particular modus operandi, which is explored in the following quoted passage:
Razy serves several purposes, mostly related to the theft of cryptocurrency. Its main tool is the script main.js that is capable of:
- Searching for addresses of cryptocurrency wallets on websites and replacing them with the threat actor’s wallet addresses
- Spoofing images of QR codes pointing to wallets
- Modifying the web pages of cryptocurrency exchanges
- Spoofing Google and Yandex search results
The attacks on browsers are not the same — on the contrary, there is a unique process to each attack. In the case of Firefox, the Razy malware installs an extension called Firefox Protection that begins altering files in APPDATA and PROGRAMFILES. As for Yandex and Chrome, Razy disables the “browser extension integrity check” and creates registry keys to disable browser updates. Next, for Yandex browsers, Razy installs a malicious extension entitled “Yandex Protect.” In the case of Chrome browsers, researchers note that different extensions at various times have been found rather than one static place of infection. However, the most prevalent appears to be the Chrome Media Router.
Another thing of note when looking at the Razy Trojan is how it uses the same scripts regardless of the application it is attacking. Researchers explain this further as the following facts:
Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js... The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.
If you notice your browser acting strange for any reason, an anti-malware scan may be in order.
Featured image: Flickr / Richard Patterson