Malicious browser extensions are not a novel threat; however, the year 2024 marks a notable resurgence in their use as effective tools in cybercrime arsenals. JsTimer, like the Funny Tool Redirect extension, is notorious for redirecting users during web browsing sessions and potentially harvesting extensive personal information, thereby posing a severe threat to user privacy.

Exploring the JsTimer Extension Virus

JsTimer is designed for Chrome and Chromium-based browsers and is categorized as a harmful plugin. On the surface, its actions might appear benign as it merely redirects users to Google Search’s main page anytime they attempt to access the Chrome Web Store. The mechanism behind this is straightforward yet invasive: JsTimer monitors and intercepts attempts to navigate to chromewebstore.google.com. This behavior mirrors the functionalities of traditional browser hijackers, making it a subtle yet significant threat.

Like many other malicious extensions, JsTimer exploits the “Managed by your organization” feature found in Chromium browsers. Typically, this setting is used by organizations to control browser setup and prevent users from modifying extensions and settings. However, in this scenario, cybercriminals manipulate this feature to thwart manual removal efforts by users.

Varied Effects of the JsTimer Malicious Plugin

The behavior of the JsTimer browser extension varies based on the IP address of the host computer. Under normal conditions, if the system’s IP address is from an area on the “operational” list, JsTimer engages in its primary malicious activities. Conversely, if the system is located in a “banned” region, the extension switches to a less aggressive mode.

Primarily, JsTimer’s main function is to redirect user searches from Google to alternative search engines. In its latest version, it redirects queries to findflarex.com, which then sends users to boyu.com.tr. Findflarex.com acts as an intermediary that not only captures the initial search request but also injects additional search tokens. Boyu.com.tr, a pseudo-search engine, uses these tokens to display an overwhelming number of advertisements. This redirection and ad-loading process are integral to the monetization strategy behind this malicious scheme.

Another facet of this scheme involves blocking access to the Chrome Web Store. Understandably, users frustrated by an extension that commandeers their search queries would naturally head to the Web Store to identify the offending extension, leave a critical review, and report the abuse. However, what this plugin cunningly does is redirect any attempts to visit chromewebstore.google.com back to the main Google search page. While this might seem minor initially, when combined with other malicious behaviors, it exacerbates the issues significantly.

If JsTimer detects that the system’s location is in what it deems the “wrong” region, it will restrict access to the Chrome Web Store. This tactic might go unnoticed by users who infrequently visit the store, yet it serves as a protective measure for the extension and any others that might be involved in the scheme.

Spreading Ways

Most of the time, junk extensions like JsTimer get into a browser through a fraudulent website that the user is getting redirected to. The latter often happens during interactions with questionable sites, typically ones with pirated content. On the page, the user sees an offer to install “the recommended extension” (text may vary depending on the case). Hackers’ hopes are on people clicking through the pages in a rush to get to the desired content. And that is it – after a single session on such a website, a user may end up with a handful of malicious extensions.

Another often situation that leads to the “install the extension” page is when there is an active adware in the system. Aside from injecting ads into all the pages that the user visits, it may also open additional tabs with more ads, or other questionable content. And since malware actors often stick to working with each other, it is not a big surprise to see adware opening a malicious extension installation page.

How to Remove JsTimer Extension?

It is possible to get rid of JsTimer in both manual and automated ways. I will recommend sticking to the automated due to the matters I’ve described above. Source malware, as well as other junk that could have gotten into the system in the same way will remain present even after you remove the extension. And for this purpose, I recommend you to use GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal method

To get rid of the JsTimer extensions manually, you will need to get rid of the “Managed by your organization” thing. This trick stems from changes in the browser’s registry keys that are responsible for such deep configurations. Removing that registry key will do the job. Open Registry Editor by pressing Win+R and typing “regedit” into the appeared window. There, paste the registry address you see below:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

You should delete this registry key: click it with the right mouse button and choose the corresponding option. That shall do the job – thereon, nothing will block you from removing the extension through the extension tab. After starting up, Chrome will recover its registry key, but without the malicious change.

You can also see the guides online that offer to change Group Policies. I will not share it here, as it is not possible to accomplish for all users of non-Pro Windows editions. And that is just another reason why removal with anti-malware software is preferable.

The post JsTimer Extension Virus – Easy Removal Instructions appeared first on Gridinsoft Blog.

Malicious browser extensions are far from being a new type of threat. Nonetheless, 2024 seems to be the year of their comeback as a widespread and rather potent cybercrime tool. During the unwanted redirect they are mainly known for, such extensions may also collect a lot of user information. This eventually makes the situation much more threatening for the user, primarily on the part of privacy.

What is a Funny Tool Redirect Extension Virus?

Funny Tool Redirect is a browser extension for Chrome and Chromium browsers that falls into a category of malicious plugins. Its visible behavior is not too threatening on the surface: all it does is redirect the user to the main page of Google Search should they try opening the Chrome Web Store. The way it works is pretty simple: it can track the URLs that the browser tries to open and simply intercepts every single call to the chromewebstore.google.com website. That functionality is identical to what browser hijackers can do.

Similar to all other extension viruses, Funny Tool abuses the “Managed by your organization” feature of Chromium browsers. As the name goes, this mode normally means that the company has set the browser up, and protects the extensions and other settings from user modifications. But in this case, con actors who design the extension take advantage of this feature to prevent manual removal attempts.

Effects of a Malicious Plugin

The Funny Tool Redirect browser extension appears to have distinct behavior depending on the IP address of the computer. It works in a rather simple manner: if the system is in the region from the “operational” list, it will go to its mainstream behavior. However, should the extension detect any of the “banned” country IPs, the behavior switches to a much less harmful mode.

So, the main activity of Funny Tool Redirect is redirecting the user from any Google search requests to a different search engine. In its current iteration, it routes everything to findflarex.com, which further throws the user to boyu.com.tr. The former is an intermediary website that, aside from intercepting the original request, also injects additional search tokens. The latter, in turn, is a wannabe search engine that uses the said search tokens to display huge amounts of ads. All this eventually forms the monetization form for that malicious scheme.

Another part of this scheme is blocking access to the Chrome Web Store. You see, people can get disgruntled with a thing that hijacks their search queries. The obvious reaction is to find the mischievous extension in the Web Store, leave a bitter comment, and report abuse to the administration. What the plugin does in this case is redirecting any requests to chromewebstore.google.com to the main Google page. This may look like not too much at first glance, but in combination with other malicious actions, it brings up a lot of problems.

When Funny Tool Redirect sees the “wrong” location of the system, it will only block the user out of the Chrome Web Store. Such tactics may remain unnoticed, if the user does not visit the store quite often, but may still be useful for other malicious extensions.

Spreading Ways

Most of the time, junk extensions like Funny Tool Redirect get into a user device through a fraudulent website that the user is getting redirected to. The latter often happens during interactions with questionable sites, typically ones with pirated content. On the page, the user sees an offer to install “the recommended extension” (text may vary depending on the case). Hackers’ hopes are on people clicking through the pages in a rush to get to the desired content. And that is it – after a single session on such a website, a user may end up with a handful of malicious extensions.

Another often situation that leads to the “install the extension” page is when there is an active adware in the system. Aside from injecting ads into all the pages that the user visits, it may also open additional tabs with more ads, or other questionable content. And since malware actors often stick to working with each other, it is not a big surprise to see adware opening a malicious extension installation page.

How to Remove Funny Tool Redirect Extension?

It is possible to get rid of Funny Tool Redirect in both manual and automated ways. I will recommend sticking to the automated due to the matters I’ve described above. Source malware, as well as other junk that could have gotten into the system in the same way will remain present even after you remove the extension. And for this purpose, I recommend you to use GridinSoft Anti-Malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual removal method

To get rid of the Funny Tool Redirect extensions manually, you will need to get rid of the “Managed by your organization” thing. This trick stems from changes in the browser’s registry keys that are responsible for such deep configurations. Removing that registry key will do the job. Open Registry Editor by pressing Win+R and typing “regedit” into the appeared window. There, paste the registry address you see below:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

You should delete this registry key: click it with the right mouse button and choose the corresponding option. That shall do the job – thereon, nothing will block you from removing the extension through the extension tab. After starting up, Chrome will recover its registry key, but without the malicious change.

You can also see the guides online that offer to change Group Policies. I will not share it here, as it is not possible to accomplish for all users of non-Pro Windows editions. And that is just another reason why removal with anti-malware software is preferable.

The post Funny Tool Redirect Extension Virus – Easy Removal Instructions appeared first on Gridinsoft Blog.

Predasus Malware Targets Chromium-based Browsers in Latin America

Threat analysts have discovered a new malware called “Predasus”. Attackers use this malware to insert harmful code through a Chrome extension and employ this method to attack various sites, including WhatsApp’s web version. The attackers enter and exploit the targeted websites through legitimate channels to deploy Predasus malware, enabling them to steal users’ confidential and financial data. Predasus engages in several malicious activities, such as obtaining sensitive information like login details, financial data, and personal information.

Predasus Infection Chain

Browser extensions can infect your device in various ways. They exploit browser or operating system vulnerabilities, including social engineering, to trick users into downloading them. The scenario is classic – a user opens an email attachment, a PDF, Word, or Excel file. The attachment contains malware that stealthily infects the user’s computer and is automatically deployed once downloaded. The malware then connects to the first command and control (C&C) server and downloads several files written to a folder named “extension_chrome” in the %APPDATA% folder. It terminates any process associated with Google Chrome and creates malicious .LNK files in several locations, replacing legitimate ones. In addition, the extension gains some permissions:

• “tabs”: Allows the extension to access and modify browser tabs and their content.
• “background”: Allows the extension to run in the background, even when the extension’s popup window is closed.
• “storage”: Allows the extension to store and retrieve data from the browser’s local storage.
• “alarms”: Allows the extension to schedule tasks or reminders at specific times.
• “cookies”: Allows the extension to access and modify cookies for any website the user visits.
• “idle”: Allows the extension to detect when the user’s system is idle (i.e., not being actively used).
• “webRequest”: Allows the extension to monitor, block, or modify network requests made by the browser.
• “webRequestBlocking”: Allows the extension to block network requests made by the browser.
• “system.display”: Allows the extension to detect and adjust display settings on the user’s system.
• “http://*/*”: Allows the extension to access any HTTP website.
• “https://*/*”: Allows the extension to access any HTTPS website.
• “browsingData”: Allows the extension to clear the user’s browsing data (such as history and cache) for specific websites.

Some of these permissions pose a risk because they allow an extension to access or modify sensitive user data.

What data is at risk?

According to IBM Security Lab, Predasus has been seen in many malicious activities, including modifying browser behavior and stealing sensitive data such as login credentials, financial information, and personal data. In addition, this attack uses WhatsApp Web. Since WhatsApp is popular in some countries such as Brazil, Mexico, and India, attackers can get enough potentially valuable information. Using a phishing payment site, scammers steal payment information from the victim under the guise of paying for a subscription. In addition, the phishing site asks for a confirmation code that the victim received via text message. In this way, the fraudsters access the victim’s bank account. Ultimately, the attackers sell the obtained data on the Darknet.

Safety Tips

To avoid unpleasant consequences, you must be cyber hygienic and watch what you install. Hackers always seek for new ways of malware spreading, and your attentiveness can effectively repel all their attempts.

• Be careful with emails you receive. This advice repeats again and again, as hackers keep using spoofed emails to spread malware. Strange topic, unknown sender, typos – all such things should raise suspicion.
• Only download extensions you’re sure about. Even using Chrome Web Store as a source does not mean you’re safe. Hackers have their ways to upload malicious plugins even to this marketplace – leave alone third-party sources.
• Use two-factor authentication and regularly update your browser and extensions to stay safe.
• Use effective anti-malware software. When it comes to protecting from malware attacks from different vectors, it is quite easy to whiff at some point. To avoid problems, a backup protection option is essential. GridinSoft Anti-Malware can offer you great protection, both reactive and proactive.

The increase in harmful Chrome extensions is concerning and emphasizes the importance of being cautious while browsing the web. There are concerns that this malware campaign may spread to North America and Europe.

The post Predasus Malware Attacks Latin America Through Browser Plugins appeared first on Gridinsoft Blog.

If you do not use Chrome, let me remind you that this function is applied to synchronize data between different user’s devices, and stores copies of all user bookmarks, browsing history, passwords, as well as browser settings and browser extensions on Google cloud servers.

However, as it turned out, synchronization can be used to send commands to infected browsers, as well as steal data from infected systems, bypassing firewalls and other means of protection.

Zdrnya writes that in the course of the incident he studied, the attacker gained access to the victim’s computer, but was unable to steal the data, since it was inside the employee portal. Then the hacker downloaded a malicious Chrome extension to the victim’s machine and launched it through Developer Mode.

The extension masked itself as a security product from Forcepoint and contained malicious code that abused the synchronization function, allowing an attacker to control the infected browser. In this case, the extension was used to manipulate data in an internal web application that the victim had access to.

The malicious code found in the extension allowed an attacker to create a special text field to store token keys, which were then synchronized with Google cloud servers.

According to the researcher, any data can be stored in such a field: it could be information collected by a malicious extension about an infected browser (for example, usernames, passwords, cryptographic keys, etc.), or, on the contrary, commands that the extension must execute on the infected host.

Thus, a malicious extension can be used to “drain” data from corporate networks into the attacker’s Chrome, and bypassing local protection tools. After all, stolen content or commands are transmitted through the Chrome infrastructure, and the Google browser is usually allowed to work and transfer data without hindrance, that is, the hacker’s activity will not raise suspicion and will not be blocked in most corporate networks.

Instead, the researcher advises using corporate Chrome features and group policies to block or tightly control extensions that can be installed in the browser.

As I mentioned, recently Google Chrome fixed two 0-day vulnerability in two week, that was under attacks.

The post Researcher discovered that Chrome Sync function can be used to steal data appeared first on Gridinsoft Blog.

It masks itself as a real Ledger Live tool intended for users of Ledger hardware wallets and their mobile or desktop devices.

“Extension has no browser permissions. It only has one purpose (to steal your seed phrases)”, – wrote Harry Denley on his Twitter account.

Fraudsters diligently maintained the illusion that the fake is the official version of Ledger Live for Chrome, which allows performing exactly the same operations through the browser (check balance, confirm transactions). However, instead, the fake suggested that users install the extension and synchronize with it with their Ledger by entering the seed phrase of the wallet.

A Seed phrase is a 24-word string that is used to move wallet data between devices, as a recovery system in case the user loses or wants to change the device.

“In essence, the fraudulent resolution did nothing more, just showed a pop-up window asking for a seed phrase, and using Google Form it collected and sent this data to its operators”, – said Harry Denley.

Then the scammers could use the stolen seed phrases with their own Ledger wallet and “restore” the wallets of other users (in order to gain access to their accounts and steal funds). Since Ledger hardware wallets can work with more than 20 different cryptocurrencies, a hacker who manages to steal a seed phrase can gain access to considerable sums of money.

Currently, the extension is still available in the official Chrome Web Store and has over 120 installations. In addition, according to the researcher, the extension is actively advertised through Google Ads for the keywords “Ledger Live”.

“What kind of shit again?”, you may ask? And you will be right! Only recently I wrote that Shitcoin Wallet for Google Chrome steals cryptocurrency passwords and keys.

The post Malicious Ledger Live extension for Chrome steals Ledger wallet data appeared first on Gridinsoft Blog.

The first problematic addon appeared on December 9th. The extension received the identifier ckkgmccefffnbbalkmbbgebbojjogffn.

Shitcoin Wallet developers claim that the extension allows users to manage Ether (ETH) currency, as well as Ethereum ERC20 tokens.

“Users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser, or they can install a Windows desktop app, if they want to manage their funds from outside a browser’s risky environment”, — says Shitcoin Wallet description.

There is also a similar application for Windows, however, attackers focus on the addon.

In fact, it turned out that Shitcoin Wallet has completely different goals.

According to Harry Danley, head of security for the MyCrypto platform, the extension contains malicious code.

This addon is dangerous for users of the Chrome browser for two reasons:

“First: Any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk. The extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk. Second, the extension also actively injects malicious JavaScript code when users navigate to five well-known and popular cryptocurrency management platforms. This code steals login credentials and private keys, data that it’s sent to the same erc20wallet[.]tk third-party website”, — explained Harry Denley.

According to an analysis of the malicious code on ZDNet, the process goes as follows:

• Users install the Chrome extension
• Chrome extension requests permission to inject JavaScript (JS) code on 77 websites
• When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
• This JS file contains obfuscated code
• The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
• Once activated, the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, finally, sends the data to erc20wallet[.]tk

It is unclear whether the Shitcoin Wallet team is responsible for the malicious code or whether the Chrome extension was hacked by a third party. However, for example, the ToTok messenger was almost specially created in collaboration with the UAE special services for total tracking of users.

The post Shitcoin Wallet for Google Chrome steals cryptocurrency passwords and keys appeared first on Gridinsoft Blog.