| Cybercriminals use information-stealing malware, also known as infostealers, to gather data about users, their devices, and their networks. This information can include personal information, account information like online passwords, and other sensitive data. Infostealers are installed on victim devices in several ways, such as malicious browser extensions and downloads. |
| Users download browser extensions for a variety of reasons. After an extension is downloaded from official web stores, threat actors surreptitiously purchase or hijack popular extensions for malicious purposes and capitalize on the trust the extension has gained. Users often continue to use the extension even after it has been taken over by the new vendor, as they are likely unaware of the change. Oftentimes, the new vendor will also update permissions related to the extension, allowing them to access, read, and modify files on the users’ system and more, as noted in image 1. Some threat actors use the extension to inject code into the system’s browser to facilitate malvertising and search engine optimization fraud, which leads into the second stage of their operation. |
| Image 1 |
| If threat actors can manipulate search results and the online advertising viewed by users, they can push them to initiate malicious downloads. For example, the NJCCIC’s security operations center (SOC) team noted that malicious software known as pdfconverters[.]exe is often obtained by users searching for free worksheets, calendars, and more. While this program can convert documents, its real purpose is acting as a RedLine infostealer. A screenshot of the site and associated URLs advertising this download is noted in images 2 and 3. |
| Image 2 |
| Image 3 |
| Users who navigate to the sites advertising malicious downloads are often redirected there by other sites. Image 4 shows how a user is referred to these sites by malvertisements (column 3). |
| Image 4 |
| Once pdfconverters[.]exe is downloaded, the threat actors exfiltrate information to command and control (C2) domains through WebView2, which occurs in a window that is hidden from the user. A screenshot of the WebView2 history in image 5 shows those domains being contacted; however, this was not visible in the user’s regular browsing history. |
| Image 5 |
| Once the infostealer has been installed on the user’s device, it can gather sensitive information including the data, files, and images on the device; browsing history; account passwords, and more. Image 6 shows an example of the browser information that would be viewable by the threat actors, who could easily decrypt the passwords associated with the noted websites. |
| Image 6 |
| For technical analysis and IOCs, please continue reading… |