The Razy Trojan is targeting legitimate browser extensions and is spoofing search results in the quest to raid cryptocurrency wallets and steal virtual coins from victims.
According to new research published by Kaspersky Lab, the malware, known as Razy, is a Trojan which uses some of the more unusual techniques on record when infecting systems.
Detected by the cybersecurity firm as Trojan.Win32.Razy.gen, Razy is an executable file which spreads through malvertising on websites and is also packaged up and distributed on file hosting services while masquerading as legitimate software.
The main thrust of the malware is its capability to steal cryptocurrency. Razy focuses on compromising browsers, including Google Chrome, Mozilla Firefox, and Yandex. Different infection vectors are in place depending on the type of browser found on an infected system.
Razy is able to install malicious browser extensions, which is nothing new. However, the Trojan is also able to infect already-installed, legitimate extensions, by disabling integrity checks for extensions and automatic updates for browsers.
In the case of Google Chrome, Razy edits the chrome.dll file to disable extension integrity checks and then renames this file to break the standard pathway. Registry keys are then created to disable browser updates.
"We have encountered cases where different Chrome extensions were infected," the researchers say. "One extension, in particular, is worth mentioning: Chrome Media Router is a component of the service with the same name in browsers based on Chromium. It is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions."
In order to compromise Firefox, a malicious extension called "Firefox Protection" is installed. When it comes to Yandex, the Trojan will also disable integrity checks, rename the browser.dll file, and create registry keys to prevent browser updates. A malicious extension called Yandex Protect is then downloaded and installed.
Most of the malware's functions are served through a single .js script which permits the malware to search for cryptocurrency wallet addresses, replace these addresses with others controlled by threat actors, spoof both images and QR codes which point to wallets, as well as modify the web pages of cryptocurrency exchanges.
Razy is also able to spoof Google and Yandex search results on infected browsers, which could result in victims unwittingly visiting malicious web pages. The Trojan will often tamper with results relating to cryptocurrency in an attempt to entice users to hand over their credentials -- for example, by promoting new services or bargain coin sales which require the user to log in if they wish to participate.
In all three browser cases, a number of additional scripts are downloaded. Two of the scripts, firebase-app.js and firebase-messaging.js, are legitimate statistics collectors, while two others, bgs.js and extab.js, are malicious, obfuscated scripts which modify web pages and allow malicious ads to be inserted.
At the time of writing, a total of six wallets linked to this campaign hold 0.14 BTC, alongside three wallets which contain roughly 25 ETH.
In related news, researchers from the University of Illinois at Urbana-Champaign demonstrated proof-of-concept security vulnerabilities earlier this week which impact a total of 26 low-end cryptocurrencies.