A malicious Chrome extension is spreading in Brazil, and it's capable of stealing everything typed inside a browser window. Here's what to look out for before it spreads.
A malicious new Chrome extension has been discovered, and it's a serious security risk.
Capable of capturing everything a victim types into an infected Chrome browser, Catch-All is spreading through email phishing attacks. It has only been discovered in Brazil thus far, but it has the potential to do a lot of damage if it spreads.
Renato Marinho, chief research officer at Morphus Labs, says Catch-All isn't alone either—in fact it's the third one he's written about since August. The previous two targeted customers of specific banks, but this latest extension is targeting everyone, making it very dangerous.
Another day, another phishing attack
Catch-All spreads via a phishing attack telling the recipient that someone has sent them photos through WhatsApp. When the victim clicks on a link to the photos they're instead prompted to download WhatsApp.exe, which is actually an installer for the Catch-All extension.
The installer masquerades as an Adobe Acrobat installer, which actually installs a dropper, which in turn downloads incredibly bloated binaries that are about 200MB each. Only about 3% of the binaries contain actual code—the rest are just no-op code that Marinho speculates is there to trick antivirus software, which often skips scanning large files.
SEE: Want to improve cybersecurity? Try phishing your own employees (TechRepublic)
As a final step, the malware installer attempts to disable Windows Firewall and terminate all Chrome processes. It then modifies any Chrome launcher file to ensure that Catch-All is loaded when the browser is started up.
It also tweaks Chrome to disable user approval for script injection, permanently allow all extensions, and disable SafeBrowsing protections.
What makes Catch-All so dangerous
Once installed, Catch-All goes to work harvesting every single thing a victim types into Chrome. It saves it to a file and transmits stolen data to a command and control server—information like usernames, passwords, credit card numbers ... anything you type in your browser.
SEE: Cyber Security Volume I: Hackers Exposed (TechRepublic Academy)
As with all phishing-based attacks, the key to being protected lies in not clicking the link. If you're familiar with the warning signs of a phishing email that's not hard to do. Those not familiar with what to look for may need to rely on their IT teams to offer an extra layer of protection. For those in the guardianship role be sure to:
- Enable a server-side email scanning solution, if possible. By identifying and removing malicious messages before users get them you could be preventing a lot of headaches.
- Be sure antivirus definitions are up to date on all potentially affected machines.
- Be sure Chrome, and other browsers, are kept up to date on all potentially affected machines.
- Put good web filters in place that prevent users from opening up suspicious URLs.
- Disable URLs in email messages—if it can't be clicked it's not a risk.
- Restrict users from installing software without IT permission.
- Notify users of new phishing attacks so they know what to watch out for.
The top three takeaways for TechRepublic readers:
- A new phishing campaign is distributing a malicious Chrome extension that can capture everything a user types into their browser and send it to a command and control server.
- While currently only targeting Brazil, it's entirely possible that the attack will spread or that its strategy could be exploited by other cybercriminals.
- Protect your organization by eliminating avenues of infection with server-side email scanning, antivirus, browser, and OS updates, and restricted user permissions.
- Phishing is the easiest way to steal sensitive data, hackers say (TechRepublic)
- What is phishing? How to protect yourself from scam emails and more (ZDNET)
- Report: Phishing attacks on the rise, executives and IT workers most likely to fall victim (TechRepublic)
- 1.4 million phishing websites are created every month: Here's who the scammers are pretending to be (ZDNET)
- Identity theft protection policy (Tech Pro Research)