Experts at TrendMicro detected a new click fraud campaign based on a malware able to bypass the Chrome Extension Security Feature.
“We came across one particular post on Twitter that advertises “Facebook Secrets,” along with a shortened link. Clicking the link leads the user to a site that automatically downloads an .EXE file into the user’s system.
This downloaded file, download-video.exe, is actually a downloader malware, which we detect as TROJ_DLOADE.DND. This starts a chain of downloaded and dropped files into the system. In order to avoid suspicion, these files use legitimate-sounding file names like flash.exe.” states a post post.
- manifest.json – contains browser extension description (name, script to load, version, etc.)
- crx-to-exe-convert.txt– contains the script to be loaded, which can be updated anytime by connecting to a specific URL
“The site is written in Turkish and phrases such as ‘bitter words,’ ‘heavy lyrics,’ ‘meaningful lyrics,’ ‘love messages,’ and ‘love lyrics’ appear on the page. This routine could be a part of a click fraud or redirection scheme,” states TrendMicro.
(Security Affairs – Chrome extension, malware)