Hackers are employing malicious browser extensions to infect Google Chrome and Microsoft Edge with hazardous malware, which can steal your personal information and expose your computer to further assaults.
According to The Hacker News, this recently found malware campaign has been active since 2021, affecting at least 300,000 Chrome and Edge users.
What makes this malware particularly harmful is its ability to stay on compromised computers. This implies that even if you delete the harmful extension, the infection will revive when you restart your computer.
Here is all you need to know about this malware campaign, including how to permanently delete the harmful extension used in it.
Using malvertising to push fake sites
Like other malware campaigns, this one use malvertising to dupe naïve users into downloading and installing dangerous software.
The hackers behind it have constructed lookalike websites that spoof popular applications and services such as Roblox FPS Unlocker, YouTube, VLC video player, Steam, and Keepass. Potential victims believe they are getting legal software or extensions, but they are actually downloading a trojan that installs the dangerous extensions utilized by this infection.
check also : Xiaomi HyperOS 2.0
The digitally signed malicious installers employed in this operation create a scheduled task on vulnerable PCs, which then runs a PowerShell script to download and execute the next-stage payload from a hacker-controlled remote server.
As part of the next-stage payload, the malware alters an infected PC’s Windows Registry to force the installation of Chrome and Edge extensions, which are utilized for ad fraud by hijacking Google and Bing web searches and sending them through the hackers’ servers. To make matters worse, newer variants of this virus can prevent browser updates from being installed, leaving victims at danger of more attacks.
Fortunately, there is a fix but it does take some technical know how.
How to remove this malware from your PC for good
ReasonLabs’ blog post revealing the findings of its security researchers provides additional information on how to properly remove this virus and the malicious extensions utilized in this campaign from your computer.
First and foremost, remove the scheduled task from your computer. This is done by going to the Start Menu or using the Windows key on your keyboard and looking for Task Scheduler.
Once Task Scheduler is launched, click on the Task Scheduler Library to view all of the tasks on your computer. While the task name used by this virus fluctuates, you can recognize it by clicking on tasks, opening them, and then selecting Actions. You may view the Details of Actions in the table below, and you should look for a route to “c:\windows\system32” as well as a PowerShell script or a file ending in “.ps1”. According to ReasonLabs, the task name is often close to the PowerShell script name. Once you’ve identified the rogue task, right-click on its name and select Delete.
Following that, remove the registry keys that are causing the malicious extensions to appear in your browser. This is more complex, but you may access the Registry Editor in the same way you did with the Task Scheduler. Keep in mind, however, that you should not tinker with your computer’s registry unless you are certain you know what you’re doing. When in doubt, ask a friend for assistance or take your computer to a specialist.
With the Registry Editor opened, you need to go to “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist”. In the right pane here, there will be a list of extensions with a numerical value as “Name” and Extension ID as “Data”. Then right click on the name and then click Delete. You also have to do this for this registry key as well: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist.”
As this malware affects both Chrome and Edge, you will need to repeat the same process for the Edge extensions at this path: “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist”.
While you may delete the infected files manually, you’re much better off letting one of the finest antivirus software solutions handle it for you. If you prefer to do it manually, instructions can be found at the conclusion of the ReasonLabs blog page linked above.
Going through the process of deleting these fraudulent extensions malicious browser and the malware they’ve installed on your computer will probably be enough to make you reconsider downloading new software or browser extensions from untrustworthy sites. If you want to download a new extension, do it using the Chrome Web Store or the Microsoft Edge Add-on Store.
