A team of researchers have analyzed the Google Chrome Extension called Desbloquear Conteudo (unblock content) after finding that it was communicating with a suspicious domain. They found that it was a rare type of banker malware. This extension which was identified as HEUR:Trojan-Banker.Script.Generic has immediately been removed from the Chrome Web Store.
A researcher at Kaspersky Lab, Vyacheslav Bogdanov said that the man-in-the-middle (MitM) extension for Chrome were aimed at Brazilian online Banking users for getting their information such a login details and passwords to steal cash. The MitM attacks will redirect the victim’s web traffic to a hoax website. The users are not aware of this and they believe that they are connected to the genuine website. But instead the flow of traffic to and from the bank website is actually redirected through an attacker’s site where the hacker can gather the data which they need.
An interesting thing about this extension is that the developers did not make any provision to make the source code unclear. Instead they considered for an MitM attack using the WebSocket protocol for data communication. This has made the exchange of real time messages with the C&C (command-and-control) server possible. The C&C acts as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank.
Since the malware targeted the Brazilian users, Bogdanov proposed that the browser extension had the additional function of adding cryptocurrency mining scripts to the banking sites users visited. He also mentioned that the browser extensions looked forward to steal the user logins and passwords which are rare when compared to the adware extensions. Since they are prone to cause serious damages it is better to consider them seriously.
It is always best to use only those extensions that have good reviews and large number of installations in the Chrome Web Store or other official services. Even though several measures are taken by the users there are chances that malicious extensions can still penetrate.