Massive Malware Campaign Hijacks 300,000 Browsers: How to Protect Yourself

A widespread and ongoing malware campaign has force-installed malicious extensions on over 300,000 Google Chrome and Microsoft Edge browsers, compromising users' browsing history, login credentials, and personal data. The attack, discovered by ReasonLabs researchers, employs diverse malvertising tactics to infect devices, highlighting the need for vigilance and robust security measures.

Infection Vector

The malware campaign begins with fake software installers downloaded from malicious websites promoted through Google search results. These installers, signed by 'Tommy Tech LTD', evade detection by antivirus tools and contain PowerShell scripts that download payloads, modify browser executables, and install extensions.

Malware installed signed by Tommy Tech

Malicious Extensions

The campaign has installed numerous extensions, including:
- Custom Search Bar (40K+ users)
- yglSearch (40K+ users)
- Qcom search bar (40+ users)
- Qtr Search (6K+ users)
- Micro Search Chrome Extension (180K+ users, removed from Chrome store)
- Active Search Bar (20K+ users, removed from Chrome store)
- Your Search Bar (40K+ users, removed from Chrome store)|
- Safe Search Eng (35K+ users, removed from Chrome store)
- Lax Search (600+ users, removed from Chrome store)

The following Microsoft Edge extensions are linked to this campaign:
- Simple New Tab (100,000K+ users, removed from Edge store)
- Cleaner New Tab (2K+ users, removed from Edge store)
- NewTab Wonders (7K+ users, removed from Edge store)
- SearchNukes (1K+ users, removed from Edge store)
- EXYZ Search (1K+ users, removed from Edge store)
- Wonders Tab (6K+ users, removed from Edge store)

These extensions hijack search queries, redirect users to malicious results, and capture sensitive information.

Persistence and Evasion

The malware employs various techniques to remain persistent and evade detection, including:
- Modifying browser shortcut links to force-load malicious extensions
- Disabling browser automatic updates
- Hiding extensions from the extensions management page
- Modifying DLLs to hijack browser homepages

Removal and Prevention

To remove the infection, users must:
- Delete scheduled tasks and malicious registry entries
- Remove malicious files using an Antivirus Software
- Consider reinstalling the browser to ensure complete removal

To protect yourself:

- Be cautious when downloading software from unknown sources
- Install Net Protector antivirus and keep them up-to-date
- Regularly review browser extensions and remove suspicious ones
- Enable browser automatic updates

Stay vigilant and take proactive measures to safeguard your digital security.