Razy malware is looking for cryptocurrency payday

Researchers at Kaspersky Lab have disclosed information about a relatively new malware that attacks browsers in the search of cryptocurrency. The research is written about in a Kaspersky SecureList post by co-authors Victoria Vlasova and Vyacheslav Bogdanov. Entitled “Razy” after a file that was identified as Trojan.Win32.Razy.gen, the malware spoofs search results and, as alluded to earlier, attacks browser extensions.

According to researchers, Razy has a particular modus operandi, which is explored in the following quoted passage:

Razy serves several purposes, mostly related to the theft of cryptocurrency. Its main tool is the script main.js that is capable of:

  • Searching for addresses of cryptocurrency wallets on websites and replacing them with the threat actor’s wallet addresses
  • Spoofing images of QR codes pointing to wallets
  • Modifying the web pages of cryptocurrency exchanges
  • Spoofing Google and Yandex search results

The attacks on browsers are not the same — on the contrary, there is a unique process to each attack. In the case of Firefox, the Razy malware installs an extension called Firefox Protection that begins altering files in APPDATA and PROGRAMFILES. As for Yandex and Chrome, Razy disables the “browser extension integrity check” and creates registry keys to disable browser updates. Next, for Yandex browsers, Razy installs a malicious extension entitled “Yandex Protect.” In the case of Chrome browsers, researchers note that different extensions at various times have been found rather than one static place of infection. However, the most prevalent appears to be the Chrome Media Router.

Another thing of note when looking at the Razy Trojan is how it uses the same scripts regardless of the application it is attacking. Researchers explain this further as the following facts:

Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js... The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.

If you notice your browser acting strange for any reason, an anti-malware scan may be in order.

Featured image: Flickr / Richard Patterson

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Making an IT investment in your SMB? This definitive guide is for you

Planning to make an IT investment in your small or medium-sized business? It is imperative that you spend your money…

2 days ago

Kubernetes service mesh market is a lot more than Istio

Adopting a service mesh is no longer a trend, it’s a necessity. A healthy sign of this is that Istio…

2 days ago

10 biggest 2018 data breaches — and what they mean for 2019

Ransomware and malware attacks hit big victims last year. This look at the biggest 2018 data breaches will keep us…

2 days ago

Xtreme Podcast: Is there still an ‘I’ in innovation?

In this week’s Xtreme Podcast: Where are the next tech innovations coming from? Also, business taglines can be funny; cyber…

2 days ago

New System Center 2019 focuses on datacenters, security, hybrid cloud

The brand-new Microsoft System Center 2019 allows users to deploy and manage Windows Server 2019 and is perfect for those…

3 days ago

Aluminum giant Norsk Hydro experiences serious ransomware attack

Aluminum producing giant Norsk Hydro is dealing with major disruptions in production and falling share price in the wake of…

3 days ago