Thousands of Google Chrome browsers are at risk from this damaging attack

Image Credit: TechRadar (Image credit: Future)

Cybersecurity researchers have spotted a new malicious campaign that hijacks web browsers to steal sensitive data.

A report from ReasonLabs outlined how the campaign has so far hit around 300,000 Google Chrome and Microsoft Edge users by creating websites offering fake software for free, including the likes of Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass.

Victims who navigate to these websites and download the fake software instead get a trojan malware that’s been around since 2021. The malware installs add-ons and extensions that hijack search engines, and more.

Feature Flighting

"The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands," the researchers explained. "This trojan malware, existing since 2021, originates from imitations of download websites with add-ons to online games and videos."

In some cases, the extensions change the browser’s default search engine to a different one, likely where the threat actors can benefit from ad serving, or through which they can deploy more damaging malware. The researchers also added that removing the add-ons is a bit challenging.

"The extension cannot be disabled by the user, even with Developer Mode 'ON,'" ReasonLabs said. "Newer versions of the script remove browser updates."

To remove the malware, users should delete the scheduled tasks that reactivate the malware, remove Registry entries, and delete these files and folders, The Hacker News reports:

C:\Windows\system32\Privacyblockerwindows.ps1
C:\Windows\system32\Windowsupdater1.ps1
C:\Windows\system32\WindowsUpdater1Script.ps1
C:\Windows\system32\Optimizerwindows.ps1
C:\Windows\system32\Printworkflowservice.ps1
C:\Windows\system32\NvWinSearchOptimizer.ps1 - 2024 version
C:\Windows\system32\kondserp_optimizer.ps1 - May 2024 version
C:\Windows\InternalKernelGrid
C:\Windows\InternalKernelGrid3
C:\Windows\InternalKernelGrid4
C:\Windows\ShellServiceLog
C:\windows\privacyprotectorlog
C:\Windows\NvOptimizerLog

More from TechRadar Pro

If you're one of the millions who installed these malicious Google Chrome extensions, delete them now
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.