Brother
Professional
- Messages
- 2,590
- Reaction score
- 526
- Points
- 113
Why would a harmless extension need the financial data of Brazil's largest banks?
Trend Micro has discovered a malicious extension for Google Chrome called ParaSiteSnatcher that targets users in Latin America, particularly Brazil. The extension allows attackers to track, manipulate, and steal sensitive information from a variety of sources, including financial and bank account data.
It is noted that in addition to Google Chrome, the extension can work on other Chromium browsers, including new versions of Microsoft Edge, Brave and Opera. ParaSiteSnatcher can also potentially be compatible with Firefox and Safari, but only if you make changes to the extension's source code to adapt it to work in these browsers.
According to a Trend Micro report, ParaSiteSnatcher uses the Chrome browser API to intercept and exfiltrate all POST requests containing sensitive information before initiating a TCP connection. Especially at risk are data related to the largest Brazilian banks Banco do Brasil and Caixa Economica Federal, as well as operations in the local PIX instant payment system and payments through the Boleto Bancario method. The theft of Brazilian TIN and cookies, including those used for Microsoft accounts, was also detected.
ParaSiteSnatcher is distributed via a VBScript downloader hosted on Dropbox and Google Cloud. 3 loader variants were identified that differ in the level of obfuscation and complexity:
The use of malicious Google Chrome extensions by exploiting the Chrome API in ways specifically designed to intercept, extract, and potentially modify sensitive data underscores the importance of vigilance when installing extensions and when using web browsers.
ParaSiteSnatcher's multi-faceted approach to hiding its entry into the victim's systems also provides persistence and stealth, which makes it difficult to detect and remove, so users should carefully monitor the specific extensions they download and install in their browsers.
Trend Micro has discovered a malicious extension for Google Chrome called ParaSiteSnatcher that targets users in Latin America, particularly Brazil. The extension allows attackers to track, manipulate, and steal sensitive information from a variety of sources, including financial and bank account data.
It is noted that in addition to Google Chrome, the extension can work on other Chromium browsers, including new versions of Microsoft Edge, Brave and Opera. ParaSiteSnatcher can also potentially be compatible with Firefox and Safari, but only if you make changes to the extension's source code to adapt it to work in these browsers.
According to a Trend Micro report, ParaSiteSnatcher uses the Chrome browser API to intercept and exfiltrate all POST requests containing sensitive information before initiating a TCP connection. Especially at risk are data related to the largest Brazilian banks Banco do Brasil and Caixa Economica Federal, as well as operations in the local PIX instant payment system and payments through the Boleto Bancario method. The theft of Brazilian TIN and cookies, including those used for Microsoft accounts, was also detected.
ParaSiteSnatcher is distributed via a VBScript downloader hosted on Dropbox and Google Cloud. 3 loader variants were identified that differ in the level of obfuscation and complexity:
- Option 1: Simple, without payload obfuscation, which simplifies analysis;
- Option 2. Uses Reverse String technique to obfuscate critical strings;
- Option 3. Includes additional obfuscation techniques, protection against debugging and tampering, and the use of randomly generated names for variables and functions.
The use of malicious Google Chrome extensions by exploiting the Chrome API in ways specifically designed to intercept, extract, and potentially modify sensitive data underscores the importance of vigilance when installing extensions and when using web browsers.
ParaSiteSnatcher's multi-faceted approach to hiding its entry into the victim's systems also provides persistence and stealth, which makes it difficult to detect and remove, so users should carefully monitor the specific extensions they download and install in their browsers.
