Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

Products You May Like

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

Mobile security firm Zimperium dubbed the malware family ABCsoup, stating the “extensions are installed onto a victim’s machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores.”

The rogue browser add-ons come with the same extension ID as that of Google Translate — “aapbdbdomjkkjkaonfhkkikfgjllcleb” — in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim’s web browser.

In the event the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10).

ABCsoup Adware Campaign

“Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs,” Zimperium researcher Nipun Gupta said.

All the observed variants of the extension are geared towards serving pop-ups, harvesting personal information to deliver target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as a spyware to capture keystrokes and monitor web browser activity.

The main function of ABCsoup entails checking for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, gather the users’ first and last names, dates of birth, and gender, and transmit the data to a remote server.

CyberSecurity

Not only does the malware use this information to serve personalized ads, the extension also comes with capabilities to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly’s Znanija, Kismia, and rollApp, suggesting a heavy Russia focus.

Zimperium attributed the campaign to a “well-organized group” of Eastern European and Russian origin, with the extensions designed to single out Russian users given the wide variety of local domains featured.

“This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information,” Gupta said. “The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration.”

Cyber Security

Products You May Like

Articles You May Like

Vivo V25, V25e Alleged Images Spotted Online; May Feature Triple Rear Camera Setup: Report
FIFA 23, Marvel team up for Ultimate Team Heroes Inspired by Comics
Samsung Says No Impact of Inflation on Phone Sales; Records 50,000 Galaxy Z Fold 4, Galaxy Z Flip 4 Bookings
Fast and Secure VPN on a Budget? Private Internet Access VPN Has You Covered
SOVA Android Banking Trojan Returns With New Capabilities and Targets

Leave a Reply

Your email address will not be published.