This month focuses on a campaign exploiting vulnerable Chrome browser extensions to steal user credentials, the SpyLoan Malware affecting over 8 Million Android Users, and the rise of Lumma Stealer.

Millions of User Data Stolen in New Campaign Targeting Vulnerable Chrome Extensions 

Cybersecurity experts are warning about a new cyberattack vector involving counterfeit CAPTCHA tests designed to distribute malware on Windows devices.

Summary

• A widespread attack campaign compromised at least 35 Chrome browser extensions, exposing over 2.6 million users to data theft and credential exposure.
• Threat actors targeted publishers via phishing emails that mimicked Chrome Web Store Developer Support. The emails urged recipients to click malicious links in the guise of avoiding policy violations.
• Threat actors used permissions granted by victims to inject malicious code into legitimate extensions, enabling them to steal cookies, access tokens, and other sensitive data.
• Cybersecurity firm Cyberhaven revealed that its browser extension was compromised on December 24, with attackers injecting malicious code to communicate with a command-and-control (C&C) server.
• Extensions such as “GPT 4 Summary with OpenAI,” “ChatGPT for Google Meet,” “Reader Mode,” and “Rewards Search Automator” were among those identified as compromised.
• Evidence suggests the campaign may have been active since April 2023, with domains linked to the attacks registered as far back as 2021.
• Analysis showed the malicious Cyberhaven extension focused on identity data and access tokens of Facebook Ads users, possibly to bypass security measures like two-factor authentication.
• Malicious extensions included functionality to capture user interactions (e.g., mouse clicks) and search for QR codes, enabling the theft of sensitive data.
• Some compromised extensions contained data-exfiltrating code included by developers themselves as part of monetization SDKs, such as Urban VPN’s “ad-blocking library.”
• While some malicious extensions were removed or updated, compromised versions still active on user devices can continue to exfiltrate data, highlighting the risks of browser extension security.
• Read more about the campaign here.

SpyLoan Malware Affects over 8 Million Android Users

Security Researchers identified over a dozen malicious Android apps containing a malware known as SpyLoan which has been collectively downloaded over 8 million times on the Google Play Store.

Summary

• Over a dozen Android apps on the Google Play Store, downloaded more than 8 million times, were found to contain malware known as SpyLoan, which targets users for extortion, harassment, and financial fraud.
• The apps used deceptive practices, offering quick loans with minimal requirements, to trick users into providing sensitive information and granting excessive permissions.
• The apps targeted users in various countries, including Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru, and Chile.
• Notable apps include Préstamo Seguro-Rápido, seguro, RupiahKilat-Dana cair, and RapidFinance. While some have been removed from the Play Store, others remain active after minor policy adjustments.
• SpyLoan has been active since 2020, previously linked to high-interest loan schemes that secretly collected personal and financial data to coerce users into repayment at inflated rates.
• The apps requested access to sensitive data such as camera, call logs, contact lists, location, and SMS messages under the guise of anti-fraud measures.
• User data, including ID documents, bank accounts, and employment information, was encrypted with AES-128 and exfiltrated to a command-and-control (C2) server.
• Instead of offering genuine financial aid, the apps pushed users into a cycle of debt, leveraging stolen personal information for intimidation and extortion.
• The apps shared a unified codebase and modular design, suggesting either a single developer or a sold framework enabling cybercriminals to tailor malicious apps for specific markets.
• To protect against such apps, users are advised to review app permissions, check app reviews, verify developer legitimacy, and exercise caution when downloading financial apps from unofficial sources.
• Read more about it here.

The Rise of Lumma Stealer Malware

Lumma Stealer is an emerging information-stealing malware distributed via Telegram channels, leveraging the platform’s popularity to reach unsuspecting users. 

Summary

• Telegram channels like https://t.me/hitbase (42k subscribers) and https://t.me/sharmamod (8.66k subscribers) distribute malware disguised as software cracks. These channels cross-promote each other’s content.
• Lumma Stealer is detected as [Trojan:Win/Lummastealer.SD], identifying India, the USA, and Europe as the most affected regions.
• Malware such as “CCleaner 2024.rar” contains malicious Microsoft DLL files and executables. These files decrypt and execute further payloads using .NET and VC++ compiled files.
• Lumma Stealer employs process injection techniques targeting legitimate programs like RegAsm.exe to execute malicious code, bypassing detection mechanisms.
• Decrypted payloads extract sensitive information like browser data, cryptocurrency wallets, and system details. Exfiltration occurs via Command and Control (C2) domains, such as marshal-zhukov.com.
• A secondary payload hijacks clipboard content by replacing cryptocurrency wallet addresses using regex patterns, redirecting transactions to the attacker.
• Malware uses Base64 encoding and decryption to communicate with multiple domains (e.g., snarlypagowo.site), extract Steam account details, and connect to the attacker’s server for additional payload delivery.
• Specific file hashes and malicious files disguised as legitimate software (e.g., “ChatGPT-5 Version 2024.rar”) are identified as indicators of compromise.
• CcHUB recommends robust antivirus solutions with real-time monitoring, behavioral analysis, and regular updates to counter rapidly evolving tactics, techniques, and procedures (TTPs) employed by malware like Lumma Stealer.
• Read more about it here

Sources

• https://www.thinscale.com/spyloan-malware-affects-8-million-android-customers/
• https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-rise-how-telegram-channels-are-fueling-malware-proliferation/