This post was made possible through the research contributions of Amir Gendler.
In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.
In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and how Telegram is utilized to transmit data about the compromised machines and share more about the campaign.
Malicious Chrome extensions pose a significant threat beyond mere annoyance. These sophisticated tools can perform various operations on a victim’s machine, such as gathering technical information from the compromised browser, capturing screenshots of active browsing tabs and accessing the browser’s clipboard to overwrite its contents. Additionally, they can inject malicious scripts into web pages, steal login credentials and cookies, track browsing history and redirect users to phishing sites. The versatility of these extensions makes them potent tools for cyber criminals, capable of executing a wide array of harmful activities with minimal detection.
To ensure its persistence, the malware employs a flexible command and control (C2) system and adaptive configuration, often communicated via a Telegram channel. The ultimate objective of these malicious activities is to install a harmful browser plugin on the victim’s browser and use the Man in the Browser technique. This allows the attackers to illegally collect sensitive banking information, along with other relevant data such as compromised machine information and on-demand screenshots.
Who is CyberCartel?
Since 2012, the cyber crim ..
Support the originator by clicking the read the rest link below.
