Razy malware is looking for cryptocurrency payday

Researchers at Kaspersky Lab have disclosed information about a relatively new malware that attacks browsers in the search of cryptocurrency. The research is written about in a Kaspersky SecureList post by co-authors Victoria Vlasova and Vyacheslav Bogdanov. Entitled “Razy” after a file that was identified as Trojan.Win32.Razy.gen, the malware spoofs search results and, as alluded to earlier, attacks browser extensions.

According to researchers, Razy has a particular modus operandi, which is explored in the following quoted passage:

Razy serves several purposes, mostly related to the theft of cryptocurrency. Its main tool is the script main.js that is capable of:

  • Searching for addresses of cryptocurrency wallets on websites and replacing them with the threat actor’s wallet addresses
  • Spoofing images of QR codes pointing to wallets
  • Modifying the web pages of cryptocurrency exchanges
  • Spoofing Google and Yandex search results

The attacks on browsers are not the same — on the contrary, there is a unique process to each attack. In the case of Firefox, the Razy malware installs an extension called Firefox Protection that begins altering files in APPDATA and PROGRAMFILES. As for Yandex and Chrome, Razy disables the “browser extension integrity check” and creates registry keys to disable browser updates. Next, for Yandex browsers, Razy installs a malicious extension entitled “Yandex Protect.” In the case of Chrome browsers, researchers note that different extensions at various times have been found rather than one static place of infection. However, the most prevalent appears to be the Chrome Media Router.

Another thing of note when looking at the Razy Trojan is how it uses the same scripts regardless of the application it is attacking. Researchers explain this further as the following facts:

Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js... The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.

If you notice your browser acting strange for any reason, an anti-malware scan may be in order.

Featured image: Flickr / Richard Patterson

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Cryptojacking: Don't let your system perform for someone else

In most cyberattacks, hackers want you to know you’ve been compromised. But in cryptojacking, hackers want you to live in…

16 hours ago

System feeling down? Architect your enterprise apps for high availability

Businesses want to improve uptime, and optimizing every part of their technology stack for high availability is a significant step…

18 hours ago

10 hacking stats every business leader and IT pro must know

Cybercrime is bad and getting worse. Yes, these 10 hacking stats will scare you, but knowing about them can help…

20 hours ago

Disaster recovery solutions in a cloud-centric world

Your data is precious — but it is also precarious. Finding a trustworthy and sustainable cloud disaster recovery service is…

22 hours ago

Forbes hit by Magecart payment card skimming attack

The cybercriminals behind the Magecart payment card skimming hacks are at it again, and this time the venerable publication Forbes…

2 days ago

Top 10 IT infrastructure certifications that can supercharge your career

Certifications can be a career-booster for IT pros. These IT infrastructure certifications can ensure your success in a hot and…

2 days ago