{"id":54643,"date":"2023-11-23T00:00:00","date_gmt":"2023-11-23T00:00:00","guid":{"rendered":"urn:uuid:4367640b-211f-b77a-acbb-4b9d18b511ec"},"modified":"2023-11-23T00:00:00","modified_gmt":"2023-11-23T00:00:00","slug":"parasitesnatcher-how-malicious-chrome-extensions-target-brazil","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/parasitesnatcher-how-malicious-chrome-extensions-target-brazil\/","title":{"rendered":"ParaSiteSnatcher: How Malicious Chrome Extensions Target Brazil"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Our investigations on potential security threats uncovered a malicious Google Chrome extension that we named \u201cParaSiteSnatcher.\u201d The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources. ParaSiteSnatcher also utilizes the powerful Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information before the HTTP request initiates a transmission control protocol (TCP) connection.<\/p>\n

Our research shows that the malicious extension is specifically designed to target users in Latin America, particularly Brazil; it exfiltrates data from Banco do Brasil- and Caixa Econ\u00f4mica Federal (Caixa)-related URLs. It can also initiate and manipulate transactions in PIX, a Brazilian instant payment ecosystem, and payments made through Boleto Bancario, another payment method regulated by the Bank of Brazil. We also observed that it can exfiltrate Brazilian Tax ID numbers for both individuals and businesses, as well as cookies, including those used for Microsoft accounts.  <\/p>\n

Once installed, the extension manifests with the help of extensive permissions enabled through the Chrome extension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs using the Chrome tabs API. The malware includes various components that facilitate its operation, content scripts that enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web browser communication.<\/p>\n

It is worth noting that while ParaSiteSnatcher specifically targets Google Chrome browsers, the malicious extension will also work on browsers that support Chrome extension API and runtime, such as Chromium-based browsers like newer versions of Microsoft Edge, Brave, and Opera. These extensions could potentially be compatible with Firefox and Safari as well, but changes such as the browser namespace are necessary.<\/p>\n

The ParaSiteSnatcher downloader<\/span><\/p>\n

ParaSiteSnatcher is downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and installed onto an infected system. <\/p>\n

Our analysis has identified three distinct variants of the VBScript downloader, which are characterized by differing levels of obfuscation and complexity:<\/p>\n