ParaSiteSnatcher: Malicious Chrome Extension Targets Latin American Users

Trend Micro has uncovered a malicious Chrome extension named ParaSiteSnatcher, primarily targeting users in Latin America, specifically in Brazil. This extension empowers malefactors to track, manipulate, and purloin sensitive information from various sources, encompassing financial data and banking account details.

It is noted that beyond Google Chrome, the extension can function in other Chromium-based browsers, including newer versions of Microsoft Edge, Brave, and Opera. ParaSiteSnatcher could also potentially be compatible with Firefox and Safari, but this requires modifications to its source code to adapt it for these browsers.

A diagram showing how the different components of the ParaSiteSnatcher Chrome extension communicate. | Image: Trend Micro

According to a Trend Micro report, the ParaSiteSnatcher extension exploits the Chrome browser’s API to intercept and exfiltrate all POST requests containing confidential information, before the initiation of a TCP connection. Particularly vulnerable are data related to Brazil’s major banks, Banco do Brasil and Caixa Econômica Federal, as well as transactions in the local instant payment system PIX and payments through Boleto Bancario. The theft of Brazilian taxpayer IDs and cookie files, including those used for Microsoft accounts, has also been detected.

ParaSiteSnatcher is disseminated via a VBScript loader hosted on Dropbox and Google Cloud. Three variants of the loader have been identified, each varying in the level of obfuscation and complexity:

• Variant 1. This variant presents a straightforward approach where the payload is not obfuscated, making it relatively easier to analyze and understand.
• Variant 2. In this iteration, critical strings within the payload are obfuscated using a Reverse String technique. This adds a layer of complexity to the code, requiring a reverse operation to decipher the original content.
• Variant 3. This variant incorporates additional obfuscation techniques. It includes junk code that serves to confuse the analysis process, anti-debug, and anti-tamper protections, alongside the use of randomly generated names for variables and functions to prevent easy pattern detection. It also utilizes Reverse String obfuscation to further conceal the payload, presenting a more challenging structure for analysts to decipher.

For establishing communication with a Command and Control (C2) server, the malicious software sends a GET request to hxxps[:]//storage.googleapis[.]com/98jk3m5azb/-. The server’s response is an obfuscated list of URLs, which is then deobfuscated through a series of string manipulations, restoring the string to its original order and replacing certain symbols with their correct counterparts to reconstruct the URL.

The deployment of malicious Google Chrome extensions using the Chrome API in ways specifically designed for intercepting, extracting, and potentially altering confidential data underscores the importance of vigilance when installing extensions and using web browsers.

ParaSiteSnatcher’s multifaceted approach to concealing its infiltration into victims’ systems also ensures persistence and stealth, complicating detection and removal. Therefore, users should be especially cautious about the specific extensions they download and install in their browsers.