A sophisticated malware campaign exploiting Google Chrome's market dominance has security professionals on high alert. The newly identified threat vector uses Chrome's trusted branding as camouflage while delivering multiple payload stages capable of complete system compromise.
Technical Analysis:
The malware employs a multi-stage delivery system beginning with compromised Chrome extensions that bypass the Web Store vetting process. Once installed, these extensions download secondary payloads that exploit either:
- CVE-2023-7024 (Chrome's WebGL memory corruption vulnerability)
- Zero-day flaws in Chrome's File System Access API
Behavioral Characteristics:
- Masquerades as Chrome update processes (chrome_update.exe)
- Implements process hollowing to inject malicious code into legitimate system processes
- Establishes persistent C2 connections using DNS-over-HTTPS (DoH) for stealth
Impact Assessment:
The malware's capabilities include:
- Keylogging and form grabbing for credential theft
- Browser session hijacking
- Deployment of ransomware modules
- Establishment of reverse shells for remote access
Mitigation Recommendations:
- Enterprise:
- Implement extension allowlisting
- Deploy behavioral analysis tools
- Enforce strict DoH traffic monitoring
- Individual Users:
- Verify all extension permissions
- Enable Chrome's Enhanced Protection mode
- Regularly audit running processes for suspicious chrome_update instances
The malware's infrastructure shows similarities to previous campaigns attributed to both Russian cybercrime groups and North Korean state-sponsored actors, suggesting possible collaboration or code sharing in the cybercriminal underground.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.