www.trendmicro.com
Open in
urlscan Pro
23.32.242.31
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html?&web_vi...
Submission: On November 27 via api from DE — Scanned from DE
Submission: On November 27 via api from DE — Scanned from DE
Form analysis
1 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___jVVnB">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
Business search close * Solutions * By Challenge * By Challenge * By Challenge Learn more * Understand, Prioritize & Mitigate Risks * Understand, Prioritize & Mitigate Risks Improve your risk posture with attack surface management Learn more * Protect Cloud-Native Apps * Protect Cloud-Native Apps Security that enables business outcomes Learn more * Protect Your Hybrid World * Protect Your Hybrid, Multi-Cloud World Gain visibility and meet business needs with security Learn more * Securing Your Borderless Workforce * Securing Your Borderless Workforce Connect with confidence from anywhere, on any device Learn more * Eliminate Network Blind Spots * Eliminate Network Blind Spots Secure users and key operations throughout your environment Learn more * See More. Respond Faster. * See More. Respond Faster. Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities Learn more * Extend Your Team * Extend Your Team. Respond to Threats Agilely Maximize effectiveness with proactive risk reduction and managed services Learn more * Operationalizing Zero Trust * Operationalizing Zero Trust Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console Learn more * By Role * By Role * By Role Learn more * CISO * CISO Drive business value with measurable cybersecurity outcomes Learn more * SOC Manager * SOC Manager See more, act faster Learn more * Infrastructure Manager * Infrastructure Manager Evolve your security to mitigate threats quickly and effectively Learn more * Cloud Builder and Developer * Cloud Builder and Developer Ensure code runs only as intended Learn more * Cloud Security Ops * Cloud Security Ops Gain visibility and control with security designed for cloud environments Learn more * By Industry * By Industry * By Industry Learn more * Healthcare * Healthcare Protect patient data, devices, and networks while meeting regulations Learn more * Manufacturing * Manufacturing Protecting your factory environments – from traditional devices to state-of-the-art infrastructures Learn more * Oil & Gas * Oil & Gas ICS/OT Security for the oil and gas utility industry Learn more * Electric Utility * Electric Utility ICS/OT Security for the electric utility Learn more * Federal * Federal Learn more * Automotive * Automotive Learn more * 5G Networks * 5G Networks Learn more * Small & Midsized Business Security * Small & Midsized Business Security Stop threats with comprehensive, set-it-and-forget-it protection Learn more * Platform * Vision One Platform * Trend Vision One Our Unified Platform Bridge threat protection and cyber risk management Learn more * Attack Surface Management * Attack Surface Management Stop breaches before they happen Learn more * XDR (Extended Detection & Response) * XDR (Extended Detection & Response) Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Cloud Security * Cloud Security * Trend Vision One™ Cloud Security Overview The most trusted cloud security platform for developers, security teams, and businesses Learn more * Attack Surface Risk Management for Cloud * Attack Surface Risk Management for Cloud Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one Learn more * XDR for Cloud * XDR for Cloud Extend visibility to the cloud and streamline SOC investigations Learn more * Workload Security * Workload Security Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities Learn more * Container Security * Container Security Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection Learn more * File Storage Security * File Storage Security Security for cloud file/object storage services leveraging cloud-native application architectures Learn more * Endpoint Security * Endpoint Security * Endpoint Security Overview Defend the endpoint through every stage of an attack Learn more * XDR for Endpoint * XDR for Endpoint Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Workload Security * Workload Security Optimized prevention, detection, and response for endpoints, servers, and cloud workloads Learn more * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Mobile Security * Mobile Security On-premises and cloud protection against malware, malicious applications, and other mobile threats Learn more * Network Security * Network Security * Network Security Overview Expand the power of XDR with network detection and response Learn more * XDR for Network * XDR for Network Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Network Intrusion Prevention (IPS) * Network Intrusion Prevention (IPS) Protect against known, unknown, and undisclosed vulnerabilities in your network Learn more * Breach Detection System (BDS) * Breach Detection System (BDS) Detect and respond to targeted attacks moving inbound, outbound, and laterally Learn more * Secure Service Edge (SSE) * Secure Service Edge (SSE) Redefine trust and secure digital transformation with continuous risk assessments Learn more * Industrial Network Security * Industrial Network Security Learn more * Email Security * Email Security Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise Learn more * OT Security * OT Security * OT Security Learn about solutions for ICS / OT security. Learn more * XDR for OT * XDR for OT Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Industrial Network Security * Industrial Network Security Industrial Network Security * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Threat Intelligence * Threat Intelligence Keep ahead of the latest threats and protect your critical data with ongoing threat prevention and analysis Learn more * All Products, Services and Trials * All Products, Services and Trials Learn more * Research * Research * Research * Research Learn more * Research, News, and Perspectives * Research, News, and Perspectives Learn more * Research and Analysis * Research and Analysis Learn more * Security News * Security News Learn more * Zero Day Initiatives (ZDI) * Zero Day Initiatives (ZDI) Learn more * Services * Our Services * Our Services * Our Services Learn more * Service Packages * Service Packages Augment security teams with 24/7/365 managed detection, response, and support Learn more * Managed XDR * Managed XDR Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks Learn more * Incident Response * Incident Response * Incident Response Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans Learn more * Insurance Carriers and Law Firms * Insurance Carriers and Law Firms Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs Learn more * Support Services * Support Services Learn more * Partners * Partner Program * Partner Program * Partner Program Overview Grow your business and protect your customers with the best-in-class complete, multilayered security Learn more * Managed Security Service Provider * Managed Security Service Provider Deliver modern security operations services with our industry-leading XDR Learn more * Managed Service Provider * Managed Service Provider Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs Learn more * Cloud Service Provider * Cloud Service Provider Add market-leading security to your cloud service offerings – no matter which platform you use Learn more * Professional Services * Professional Services Increase revenue with industry-leading security Learn more * Resellers * Resellers Discover the possibilities Learn more * Marketplace * Marketplace Learn more * System Integrators * System Integrators Learn more * Alliance Partners * Alliance Partners * Alliance Overview We work with the best to help you optimize performance and value Learn more * Technology Alliance Partners * Technology Alliance Partners Learn more * Our Alliance Partners * Our Alliance Partners Learn more * Partner Tools * Partner Tools * Partner Tools Learn more * Partner Login * Partner Login Login * Education and Certification * Education and Certification Learn more * Partner Successes * Partner Successes Learn more * Distributors * Distributors Learn more * Find a Partner * Find a Partner Learn more * Company * Why Trend Micro * Why Trend Micro * Why Trend Micro Learn more * Customer Success Stories * Customer Success Stories Learn more * The Human Connection * The Human Connection Learn more * Industry Accolades * Industry Accolades Learn more * Strategic Alliances * Strategic Alliances Learn more * About Us * About Us * About Us Learn more * Trust Center * Trust Center Learn more * History * History Learn more * Diversity, Equity and Inclusion * Diversity, Equity and Inclusion Learn more * Corporate Social Responsibility * Corporate Social Responsibility Learn more * Leadership * Leadership Learn more * Security Experts * Security Experts Learn more * Internet Safety and Cybersecurity Education * Internet Safety and Cybersecurity Education Learn more * Legal * Legal Learn more * Investors * Investors Learn more * Connect with Us * Connect with Us * Connect with Us Learn more * Newsroom * Newsroom Learn more * Events * Events Learn more * Careers * Careers Learn more * Webinars * Webinars Learn more Back Back Back Back * Free Trials * Contact Us Looking for home solutions? Under Attack? 4 Alerts Back Unread All * Join us at AWS re:Invent Nov. 27-Dec. 1 close Engage with us > * Understanding ChatGPT's potential for misuse via malware creation close Learn more > * How threat actors leverage file-sharing to harvest credentials close Learn more > * Understanding how stolen data is acquired and sold close Protect your organization > Folio (0) Support * Business Support Portal * Business Community * Virus and Threat Help * Education and Certification * Contact Support * Find a Support Partner Resources * Cyber Risk Index/Assessment * CISO Resource Center * DevOps Resource Center * What Is? * Threat Encyclopedia * Cloud Health Assessment * Cyber Insurance * Glossary of Terms * Webinars Log In * Support * Partner Portal * Cloud One * Product Activation and Management * Referral Affililate Back arrow_back search close Content has been added to your Folio Go to Folio (0) close Cyber Threats PARASITESNATCHER: HOW MALICIOUS CHROME EXTENSIONS TARGET BRAZIL We detail the modular framework of malicious Chrome extensions that consist of various highly obfuscated components that leverage Google Chrome API to monitor, intercept, and exfiltrate victim data. By: Aliakbar Zahravi, Peter Girnus November 23, 2023 Read time: 12 min (3275 words) Save to Folio Subscribe -------------------------------------------------------------------------------- Our investigations on potential security threats uncovered a malicious Google Chrome extension that we named “ParaSiteSnatcher.” The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources. ParaSiteSnatcher also utilizes the powerful Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information before the HTTP request initiates a transmission control protocol (TCP) connection. Our research shows that the malicious extension is specifically designed to target users in Latin America, particularly Brazil; it exfiltrates data from Banco do Brasil- and Caixa Econômica Federal (Caixa)-related URLs. It can also initiate and manipulate transactions in PIX, a Brazilian instant payment ecosystem, and payments made through Boleto Bancario, another payment method regulated by the Bank of Brazil. We also observed that it can exfiltrate Brazilian Tax ID numbers for both individuals and businesses, as well as cookies, including those used for Microsoft accounts. Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs using the Chrome tabs API. The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication. It is worth noting that while ParaSiteSnatcher specifically targets Google Chrome browsers, the malicious extension will also work on browsers that support Chrome extension API and runtime, such as Chromium-based browsers like newer versions of Microsoft Edge, Brave, and Opera. These extensions could potentially be compatible with Firefox and Safari as well, but changes such as the browser namespace are necessary. The ParaSiteSnatcher downloader ParaSiteSnatcher is downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system. Our analysis has identified three distinct variants of the VBScript downloader, which are characterized by differing levels of obfuscation and complexity: * * Variant 1. This variant presents a straightforward approach where the payload is not obfuscated, making it relatively easier to analyze and understand. * * Variant 2. In this iteration, critical strings within the payload are obfuscated using a Reverse String technique. This adds a layer of complexity to the code, requiring a reverse operation to decipher the original content. * * Variant 3. This variant incorporates additional obfuscation techniques. It includes junk code that serves to confuse the analysis process, anti-debug and anti-tamper protections, alongside the use of randomly generated names for variables and functions to prevent easy pattern detection. It also utilizes Reverse String obfuscation to further conceal the payload, presenting a more challenging structure for analysts to decipher. Upon execution, the downloader performs an initial check for the presence of the %ProgramFiles%\Google\Chrome\Application\chrome.exe file, and the %APPDATA%\%USERNAME% folder. If found not present, the script will terminate its process. Figure 1. Verifying chrome installation and AppData path presence The malware establishes communication with the attacker’s C&C by constructing and sending a GET request to hxxps[:]//storage.googleapis[.]com/98jk3m5azb/-. The response from the server is an obfuscated list of URLs. The malware then de-obfuscates this list with a series of string manipulations performed on the C&C response that reverses the string back to its original order. It then replaces specific characters with their correct counterparts to reconstruct the URLs: * * "[h]" is replaced with "https://", specifying the protocol part of the URL. * * "-" is replaced with ".", reconstructing the domain names. * * "_" is substituted with "/", fixing the path structure. * * ">" is replaced with ":", correcting port specifications. Figure 2. De-obfuscating URLs from the C&C response Once the actual URLs are retrieved, they are used to download additional malicious modules masquerading as Google Chrome extensions. Figure 3. The list of obfuscated URLs from the threat actor’s C&C response The first URL from above list (hxxps[:]//rezumdolly[.]com:8443/api/alert) is used to register an infected system and notify the attacker. The malware first utilizes the Windows Management Instrumentation (WMI) service to perform a query against the Win32_OperatingSystem class, which retrieves details about the operating system that are subsequently sent to the attacker’s C&C server. Figure 4. ParaSiteSnatcher gathers the victim’s system information upon arrival It then constructs a .json-formatted string that encapsulates several pieces of system information as follows: * comp. The computer's name, which can be used to uniquely identify the system on a network. * * user. The registered user's name, providing insights into who uses or owns the system. * * version. The operating system version, indicating the specific build and potential vulnerabilities. * * arch. The architecture of the operating system (e.g., 32-bit or 64-bit), which is useful for tailoring further attacks to the system's specifications. * * caption. A descriptive label for the operating system, often including the edition (e.g., Windows 10 Pro). Figure 5. Registering an infected system with the attacker's command and control server The malware uses the down() function to download and save ParaSiteSnatcher malicious extension modules on an infected system’s %APPDATA%\%USERNAME% directory. Figure 6. The ParaSiteSnatcher download function The malware then attempts to locate and delete Chrome shortcuts by searching for any shortcuts that contain "chrome.lnk" in the Desktop, Public Desktop, and Quick Launch folders. Figure 7. ParaSiteSnatcher removing Chrome shortcuts from the victim’s Desktop and Quick Launch folders with VBScript To achieve persistence on the victim’s system and load malicious execution on every execution, the malware creates a Google Chrome shortcut on the desktop, which is configured to launch the browser with custom startup parameters. These parameters include the specification of a default user profile directory and the initiation of a malicious browser extension housed within the user's application data folder. This process is engineered to ensure that the malicious extension is loaded each time Chrome is started via the created shortcut. Figure 8. The malware’s persistence Extension and C&C communication Figure 9. A diagram showing how the different components of the ParaSiteSnatcher Chrome extension communicate. The communication mechanism employed by ParaSiteSnatcher Chrome extensions rely heavily on using the Chrome sendMessage API to communicate with various extension components when specific conditions are met. When messages are received, the malicious Chrome extension executes internal functions on these events: some components pass along the targeted and processed and targeted data directly to the attacker C&C, while most of the other components contain logic that can receive and update commands directly from the threat actor. The extension’s service worker, which we will discuss further into this blog, leverages the chrome.windows and chrome.tabs API for navigating and focusing the document object model (DOM) that other ParaSiteSnatcher components rely on. Analyzing ParaSiteSnatcher Chrome extension files In this section we explore the various files that comprise the ParaSiteSnatcher Framework's malicious Chrome extension. Figure 10. Properties of the malicious Chrome extension we investigated manifest.json Every Google Chrome extension includes a manifest.json file in its root directory. This background manifest key contains essential information, such as the extension’s name, version, permissions, and any scripts associated with the Chrome extension. The extension uses a service worker (yyva.js) as part of its background processes for handling tasks, orchestrating modules and data synchronization in the background. Figure 11. The manifest.json file in the ParaSiteSnatcher’s root directory The manifest.json file contains the following: * Basic metadata. This includes the name, description, version, and author key of the browser extension. * Service workers. These are JavaScript files that act as the extension's primary event handler. These events include more than just servicing web requests and can respond to events like navigating a new page, clicking notifications, and opening or closing tabs. Not that Chrome makes the critical distinction between a web service worker and an extension service worker to highlight that the extension service worker is more than just a web request proxy service. The service worker specified in the background key is the extension service worker. * Content scripts. These allow developers to statistically load JavaScript files when webpages are opened that match a specific URL pattern. * Permissions. These determine which capabilities are exposed to their respective extension. In the sample of the ParaSiteSnatcher extension we investigated, we saw some critical content_script keys that determine what scripts are injected, where they are injected, and how they behave: * matches. This type of key specifies the pattern to be used for matching. The <all_urls> value matches any URL that starts with a permitted scheme, such as http, https, and file. * run_at. This key specifies when the script should be injected into the page, where the document_end value injects the script while the page resources are still loading. * all_frames. This is a Boolean value. When set to true, the extension will inject scripts into all <iframe> elements even if the frame is not the topmost in the tab. * persistent. When the persistent Boolean value is true, the extension developer can access the chrome.webRequest API to block or modify network requests. This is the only use case for setting the persistent boolean to true; by default, this value is set to false for performance reasons. Additionally, the malicious extension contained host_permissions among the permissions in its manifest file. The host_permission key grants extra permissions for the extension’s API to read and modify host data such as accessing the API cookies, receiving events using the webRequest API, programmatically injecting scripts, bypassing tracking protections, and reading tab-specific metadata. It can also access XMLHttpRequest and fetch access to origins without cross-origin restrictions. If an extension uses the host_permissions key, the user could be prompted to grant these permissions to the extension. As of June 2023, Safari, Firefox, and some Chromium-based browsers don't prompt the user during installation. In this malicious sample, the host_permissions allow the extension to read and modify all URLs using the <all_urls> value. ParaSiteSnatcher also contains the permissions JSON key, which contains specific WebExtension API keywords that the extension requests to use. The malicious extension requests the following WebExtension JavaScript APIs: * webNavigation. This API adds an event listener for various stages of navigation, such as in response to a user action, like clicking a link or adding a URL in the location bar. * notifications. This API allows extensions to create and display notifications to users in the system tray. * declarativeNetRequest. This API allows extensions to specify conditions and actions on handling network requests, allowing extensions to block and upgrade network requests without explicit host permissions. * declarativeNetRequestFeedback. This API allows extensions to access functions and events that return information on declarative rules, such as those through the declarativeNetrequest API. * scripting. The scripting API allows the insertion of JavaScript into websites, such as through the scripting.executeScript() and scripting.registerContentScripts() methods. * webRequest. The webRequest API grants access to add event listeners to HTTP and WebSocket requests. These event listeners can receive detailed information about such requests, including the ability to modify and cancel these requests. * storage. The storage API allows extensions to store and receive data and listen for changes in stored data. * tabs. The tabs API allows extensions to interact with the Chrome browser’s tab system, including creating, modifying, and rearranging browser tabs. This powerful API also includes taking screenshots and communicating with a tab’s content scripts. * activeTab. This API permits access to the currently active tab when users execute browser and page actions. * cookies. The cookies API allows the extension to query and modify cookies and be notified of cooking changes. It is important to note that many other API permissions exist in Chrome for developers API Reference. From a security perspective, it is essential to understand that web browser extensions can declare many permissions, and not all extensions will request the user to grant explicit access. This highlights the essential need to understand what any downloaded extension does and its declared permission levels. yyva.js This component is an Extension Service Worker or Service Worker, the central event handler for Google Chrome extensions that handles web events and messages from other extension components. The extension service worker can respond to standard service worker events in addition to extension events, such as navigating to a new page, clicking a notification, or closing a tab. This service worker is declared with the service_worker key. In our research, all extension components are highly obfuscated, but after deobfuscating each component and cleaning up the code, we uncovered the following important extension service worker features working with the Chrome API: * Event listening and handling. The yavvy.js service worker is tasked with listening for events using the chrome.runtime.onMessage.addListener API. Within Chrome extensions, various components can leverage the Chrome API to message each other using the sendMessage API. The service worker is specifically tasked with listening for navigation, focus, and getcookies messages. * * Listening and intercepting POST requests. The yavvy.js service worker uses the Chrome.webRequest.onBeforeRequest.addListener to create a callback function to listen for web request events containing a POST request, as well as gather tab information using the chrome.tabs.get API, which it uses for analysis. Figure 12. ParaSiteSnatcher uses chrome.runtime.onMessage.addListener to listen for specific events. Despite its extensive listening, it is worth noting that ParaSiteSnatcher excludes local network addresses and C&C domain from its monitoring. Figure 13. ParaSiteSnatcher excludes local network addresses and C&C domain from its monitoring. It also intercepts and monitors user activity, and handles the following messages received from other modules: * messageDetails.type == 'focus' * * messageDetails.type == 'navigate' * * messageDetails.type == 'getcookie' The functions that handle the navigate and focus events use the chrome.windows and chrome.tabs API for navigating and focusing the document object model (DOM). Other components of this malicious Chrome extension leverage these messages extensively. jsync.js (Jquery 3.3.1) This file is injected as a Chrome extension dependency and is a content script used primarily for Asynchronous JavaScript and XML (AJAX) communication with the attacker C&C to exfiltrate sensitive data from infected users. sovvy.js This primary content script in the malicious Chrome extension periodically monitors specific forms and elements on a webpage and sets up event listeners on certain buttons every two seconds. It leverages the Chrome runtime API using the chrome.runtime.onMessage.addListener API method to listen for the custom messages passed between various extension events with the types, “lixo,” “cookie,” and “timer.” When events with these message types are initiated, they in turn trigger ParaSiteSnatcher to run these specific functions: * Intercepting POST requests. The lixo message is a catch-all event and does not look for specific URL patterns. Instead, it tracks all POST requests in which the attackers search for sensitive information such as usernames, passwords, emails, and credit card information. Figure 14. ParaSiteSnatcher tracks all POST requests * Stealing cookies and user sessions. The cookie message sends a POST request to the attacker C&C for cookie and session theft. Figure 15. ParaSiteSnatcher also gathers data related to cookies. * Stealing Microsoft cookies. When cookies matching Microsoft live.com exist, the sovvy.js file sends a message using the chrome.runtime.sendMessage API to send this data to the service worker, which processes this data to filter and extract the found Microsoft account cookies. These can be leveraged for account theft and pass-the-cookie attacks as well as pivoting to the cloud. Figure 16. ParaSiteSnatcher uses the chrome.runtime.sendMessage API to get a victim’s user information related to Microsoft accounts. * Stealing Banking Details. Our investigation of ParaSiteSnatcher revealed that the malicious extension conducts multiple URL checks related to Brazilian online banking companies, including Banco do Brasil and Caixa Econômica Federal. When the victim interacts with URLs related to these financial institutions, the malicious Chrome extension begins processing the data, looking for items such as usernames, passwords, and credit cards numbers, and sending the data with a POST request to the attacker’s C&C. Figure 17. ParaSiteSnatcher looks out for communication with banking sites and get password entries by victims * Fetching commands from the attacker’s C&C. Within this the sovvy.js script is the ability for the malicious Chrome extension to retrieve commands from the attacker C&C server with a standard HTTP GET request. Figure 18. sovvy.js contains script that retrieves commands from the threat actor’s C&C server. 33nhauh.js The 33nhuah.js file contains business logic to monitor bank account details and perform PIX instant payment actions. PIX is an instant payment platform created and regulated by the Banco Central do Brasil (Central Bank of Brazil). Some key features of this content script include HTML templates for password input forms, definitions for enum type data representing command types, account information, PIX key types, and parameters for PIX transactions. This content script also contains functions to monitor bank account balances and perform PIX transactions. Additionally, there are functions that manipulate the user interface, such as setting and resetting forms, clicking on menu items, and hiding or loading process indicators. This content script uses the standard HTML DOM selector to find specific elements containing sensitive PIX elements such as receiving PIX institution names, and user account information such as: * CPF/CNPJ (Brazilian Individual & Business Taxpayer Registration) details * * Email addresses * * Cellphone numbers * * PIX Keys Figure 19. ParaSiteSnatcher monitors activity related to PIX transactions, gathers victim data from these transactions, and performs actions such as navigating the PIX menu and selecting buttons within its interface. unpgp2.js The content script unpgp2.js is designed to navigate, focus, and interact with the internet banking interface of the Caixa Econômica Federal’s web interface. This content script performs various actions such as navigating pages, fetching account details, focusing on elements, executing financial transactions and initiating PIX transactions. Figure 20. ParSiteSnatcher specifically looks for activity with URLs related to Caixa Econômica Federal. s12ih0a.js This content script primarily contains logic that is used to periodically monitor windows and tabs content specifically those that contain or are related to the following: * Boleto Bancário * * The CPF (Cadastro de Pessoas Físicas or Natural Persons Register) numbers of both the payer and receiver in transactions * * The CNPJ (Cadastro Nacional da Pessoa Juridica or Taxpayer Identification) number of both the payer and receiver in transactions * * Bank payment slips The logic contained in this content script is called during specific intervals to monitor the DOM and user-input through the sovvy.js content script. The s12ih0a.js content script will also POST elements such as telephone numbers and email addresses to the attacker C&C. Figure 21. The ParaSiteSnatcher data exfiltration to its C&C server In the following table, we summarize the functions of each ParaSiteSnatcher extension component: Module Name Functions yyva.js async function timerMonitor() function getCookies() async function navigate() async function setFocusTab() function addLog() async function analyzeRequest() sovvy.js function setCommandRetorno() function updateCmd() function timerMonitor() function postSession() function postLixo() function getCmd() function updateCmd() function updateStatusOn() function getVersion() function getUser() function getElement() function addlog() function trim() function toLowerCase() function extractDigits() function getForm() function preparePostData() function buildInputMap() function checkElementClick() function checkInputPost() function ValidateEmail() function GenerateToken() function SetToken() function updateUserId() 33nhauh.js function monitorBB() function resetCommand_BB() function getSaldo_BB() function clickMenuSaldo() function focoTab_BB() function hideProcesso() function action_pix_BB() function checkComprovante() function setSConta() function setValor() function setChave() function clickMenuPix() function clickMenu() function setAccountPasswordForm() function getAgencyAndAccountNumber() function resetAccountPasswordForm() s12ih0a.js function monitor2Via() function setEventDesco() function setEventBB() function click_isPagina() function setMessageDesco() function setMessageBB() function setHtmlBB() function setHtmlDesco() function getDadosSegundaVia() function post2Via() function checkDebugging() function innerFunction() unpgp2.js function monitorAzul() function get_azul_ass() function get_azul_Saldo() function focoTab_Azul() function resetCommand_Azul() function get_azul_agcc() function azul_pedidos_automaticos() Conclusion The use of malicious Google Chrome extensions by leveraging the powerful Chrome API in ways specifically designed to intercept, exfiltrate, and potentially modify sensitive user data underscores the importance of being vigilant when granting permissions to extensions and when using web browsers. ParaSiteSnatcher’s multifaceted approach to obfuscate its arrival onto victim’s systems also ensures persistence and stealth, making detection and removal efforts challenging, so users should be doubly watchful of the specific extensions they download and install onto their browsers. Despite our investigations showing that ParaSiteSnatcher specifically targets Google Chrome browsers, users who utilize other browsers that are Chromium-based and that support various APIs used by Chrome extensions should be equally wary. Indicators of Compromise (IoCs) You can find the full list of ParaSiteSnatcher IoCs here. Tags Articles, News, Reports | Cyber Threats | Research AUTHORS * Aliakbar Zahravi Staff Researcher * Peter Girnus Sr. Threat Researcher Contact Us Subscribe RELATED ARTICLES * Exploring Weaknesses in Private 5G Networks * Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing * Beware: Lumma Stealer Distributed via Discord CDN See all articles Try our services free for 30 days * Start your free trial today * * * * * RESOURCES * Blog * Newsroom * Threat Reports * DevOps Resource Center * CISO Resource Center * Find a Partner SUPPORT * Business Support Portal * Contact Us * Downloads * Free Trials * * ABOUT TREND * About Us * Careers * Locations * Upcoming Events * Trust Center * Select a country / region United States expand_more close THE AMERICAS * United States * Brasil * Canada * México MIDDLE EAST & AFRICA * South Africa * Middle East and North Africa EUROPE * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Nederland * Norge (Norway) * Polska (Poland) * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom ASIA & PACIFIC * Australia * Центральная Азия (Central Asia) * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * Монголия (Mongolia) and рузия (Georgia) * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam Privacy | Legal | Accessibility | Site map Copyright ©2023 Trend Micro Incorporated. All rights reserved sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.Learn more Cookies Settings Accept word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 Sumo