A malware named as Razy was detected by the cybers security firm at Kaspersky Lab which aims at legitimate browser extensions and also spoofs search results in pursuit to raid cryptocurrency wallets and steal virtual coins from victims.
This malware is a Trojan that uses unusual methods while infecting the systems. The malware, Trojan.Win32.Razy.gen, is an executable file that spreads through malvertising on websites and is packaged and distributed on file hosting services while pretending as a legitimate software.
This trojan has the capacity to steal cryptocurrency by compromising browsers including Google Chrome, Mozilla Firefox, and Yandex.
Razy can install malicious browser extensions and it can also infect already-installed extensions, by disabling integrity checks for extensions and automatic updates for browsers.
In the Google Chrome browser the trojan edits the chrome.dll file to disable extension integrity checks after which it renames the file to break the standard pathway. Then it creates the registry keys to disable browser updates.
In the Firefox browser an extension called “Firefox Protection” is installed which is malicious while in the Yandex browser, the Trojan disable integrity checks and then rename the browser.dll file. After that registry keys are created to prevent browser updates. Yandex Protect is an extension which is then downloaded and installed.
The malware functions are served through a single .js script that allows the malware to search for cryptocurrency wallet addresses. It then replaces these addresses with others controlled by threat actors, spoof both images and QR codes which point to wallets, and then modify the web pages of cryptocurrency exchanges.
This trojan can spoof Google and Yandex search results on infected browsers that makes the users unknowingly visiting malicious websites. Razy interfere with the results relating to cryptocurrency to attract the users to give up their credentials.
In the affected browsers, several additional scripts are downloaded. Two scripts, firebase-app.js and firebase-messaging.js, are legitimate statistics collectors, while two scripts, bgs.js and extab.js, are malicious, complicated scripts that alter the web pages and permits malicious ads to be added.