Intel Wrap – December

This month focuses on a campaign exploiting vulnerable Chrome browser extensions to steal user credentials, the SpyLoan Malware affecting over 8 Million Android Users, and the rise of Lumma Stealer.

Millions of User Data Stolen in New Campaign Targeting Vulnerable Chrome Extensions 

Cybersecurity experts are warning about a new cyberattack vector involving counterfeit CAPTCHA tests designed to distribute malware on Windows devices.

Summary

  • A widespread attack campaign compromised at least 35 Chrome browser extensions, exposing over 2.6 million users to data theft and credential exposure.
  • Threat actors targeted publishers via phishing emails that mimicked Chrome Web Store Developer Support. The emails urged recipients to click malicious links in the guise of avoiding policy violations.
  • Threat actors used permissions granted by victims to inject malicious code into legitimate extensions, enabling them to steal cookies, access tokens, and other sensitive data.
  • Cybersecurity firm Cyberhaven revealed that its browser extension was compromised on December 24, with attackers injecting malicious code to communicate with a command-and-control (C&C) server.
  • Extensions such as “GPT 4 Summary with OpenAI,” “ChatGPT for Google Meet,” “Reader Mode,” and “Rewards Search Automator” were among those identified as compromised.
  • Evidence suggests the campaign may have been active since April 2023, with domains linked to the attacks registered as far back as 2021.
  • Analysis showed the malicious Cyberhaven extension focused on identity data and access tokens of Facebook Ads users, possibly to bypass security measures like two-factor authentication.
  • Malicious extensions included functionality to capture user interactions (e.g., mouse clicks) and search for QR codes, enabling the theft of sensitive data.
  • Some compromised extensions contained data-exfiltrating code included by developers themselves as part of monetization SDKs, such as Urban VPN’s “ad-blocking library.”
  • While some malicious extensions were removed or updated, compromised versions still active on user devices can continue to exfiltrate data, highlighting the risks of browser extension security.
  • Read more about the campaign here.

SpyLoan Malware Affects over 8 Million Android Users

Security Researchers identified over a dozen malicious Android apps containing a malware known as SpyLoan which has been collectively downloaded over 8 million times on the Google Play Store.

Summary

  • Over a dozen Android apps on the Google Play Store, downloaded more than 8 million times, were found to contain malware known as SpyLoan, which targets users for extortion, harassment, and financial fraud.
  • The apps used deceptive practices, offering quick loans with minimal requirements, to trick users into providing sensitive information and granting excessive permissions.
  • The apps targeted users in various countries, including Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru, and Chile.
  • Notable apps include Préstamo Seguro-Rápido, seguro, RupiahKilat-Dana cair, and RapidFinance. While some have been removed from the Play Store, others remain active after minor policy adjustments.
  • SpyLoan has been active since 2020, previously linked to high-interest loan schemes that secretly collected personal and financial data to coerce users into repayment at inflated rates.
  • The apps requested access to sensitive data such as camera, call logs, contact lists, location, and SMS messages under the guise of anti-fraud measures.
  • User data, including ID documents, bank accounts, and employment information, was encrypted with AES-128 and exfiltrated to a command-and-control (C2) server.
  • Instead of offering genuine financial aid, the apps pushed users into a cycle of debt, leveraging stolen personal information for intimidation and extortion.
  • The apps shared a unified codebase and modular design, suggesting either a single developer or a sold framework enabling cybercriminals to tailor malicious apps for specific markets.
  • To protect against such apps, users are advised to review app permissions, check app reviews, verify developer legitimacy, and exercise caution when downloading financial apps from unofficial sources.
  • Read more about it here.

The Rise of Lumma Stealer Malware

Lumma Stealer is an emerging information-stealing malware distributed via Telegram channels, leveraging the platform’s popularity to reach unsuspecting users. 

Summary

  • Telegram channels like https://t.me/hitbase (42k subscribers) and https://t.me/sharmamod (8.66k subscribers) distribute malware disguised as software cracks. These channels cross-promote each other’s content.
  • Lumma Stealer is detected as [Trojan:Win/Lummastealer.SD], identifying India, the USA, and Europe as the most affected regions.
  • Malware such as “CCleaner 2024.rar” contains malicious Microsoft DLL files and executables. These files decrypt and execute further payloads using .NET and VC++ compiled files.
  • Lumma Stealer employs process injection techniques targeting legitimate programs like RegAsm.exe to execute malicious code, bypassing detection mechanisms.
  • Decrypted payloads extract sensitive information like browser data, cryptocurrency wallets, and system details. Exfiltration occurs via Command and Control (C2) domains, such as marshal-zhukov.com.
  • A secondary payload hijacks clipboard content by replacing cryptocurrency wallet addresses using regex patterns, redirecting transactions to the attacker.
  • Malware uses Base64 encoding and decryption to communicate with multiple domains (e.g., snarlypagowo.site), extract Steam account details, and connect to the attacker’s server for additional payload delivery.
  • Specific file hashes and malicious files disguised as legitimate software (e.g., “ChatGPT-5 Version 2024.rar”) are identified as indicators of compromise.
  • CcHUB recommends robust antivirus solutions with real-time monitoring, behavioral analysis, and regular updates to counter rapidly evolving tactics, techniques, and procedures (TTPs) employed by malware like Lumma Stealer.
  • Read more about it here

Sources