Appropriately dubbed "Catch-All," this malicious Google Chrome extension captures all the data posted by its victims — including usernames, passwords, etc. — on any website they visit and transmits it into the hands of cyber criminals.
How the Catch-All malware is spreading
According to Marinho, the malware is being delivered via phishing emails with a link to see photos from a weekend event being shared via WhatsApp.
Clicking the link downloads a dropper file called "whatsapp.exe," which, when executed, displays a fake Adobe Flash update prompt. Installing the "update" results in the Catch-all payload being downloaded, extracted, and executed.
Note: As of now, distribution of the malware appears to be limited to Portuguese-speaking countries, with the attacks originating in Brazil.
Once the user is tricked into installing the fake Adobe Flash update, the payload is delivered in the form of a compressed file called "md18102136.cab." As the file is decompressed two additional files are extracted (md0.exe and md1.exe) that are roughly 200MB each. Marinho explains roughly 97% of the code in both files is bloat, likely put there to help the files bypass anti-malware solutions that do not inspect large files.
In addition to loading the malicious Chrome extension, md0.exe also attempts to disable a variety of security features with the following commands:
netsh firewall opmode disable: this disables the Windows firewall
disable extensions file access check: this allows extensions to inject script into file URLs without user opt-in
always authorize plugins: this prevents Chrome from requiring authortization to run plug-ins
disable improved download protection: this disables Safe Browsing warnings when it comes to downloading files
It then kills all Chrome processes and configures the browser extensions to be loaded the next time Chrome runs.
From here, the extension will capture any data the victim enters in as they browse from page to page, using Windows APIs to retrieve keyboard strokes and sending the info to a C&C server using jQuery and Ajax connections.
The extension uses the GetKeywordState function to retrieve keyboard strokes.
As a result, the criminals behind Catch-All can silently gather a treasure trove of credentials and personal data without the user noticing a thing. Because the data is captured in clear text inside the browser, existing browser security measures such as SSL or TLS don't provide protection against this threat.
In Marinho's opinion, the onus is on the browsers to mitigate threats like the Catch-All extension. "Internet browsers should better control extensions and plugins' installation processes, as the Andriod and IOS mobile ecosystems do," he told Threatpost. "By default, only the extensions available on official stores sould be accepted for installation."
Blocking Catch-All before it steals data
Since the Catch-All extension is delivered via phishing emails, user training can help prevent its installation in the first place.
Users will be users, however, and the good news is having Barkly installed will stop this attack in the earliest stages, before the payload even has a chance to execute or tee up the malicious extension.
That means even if users do fall for the phishing email they're still protected.
With the creation of malicious Chrome extensions — and the hijacking of legitimate ones — on the rise it's key for organizations to protect their users and endpoints with strong security that can spot malicious behavior in addition to malicious files.