Researchers have found that the new and improved version of the Razy malware targets victims as they move inside the cyberspace.
For those who are not familiar with this type of threat, Razy is a Windows malware that uses multiple tools to do cryptocurrency theft and fraud.
The sneaky malware enslaves browser extensions in order to display a huge array of online scams to unsuspected victims.
It mostly affects Google Chrome, Mozilla Firefox, and Yandex Browser users.
During a malware analysis, researchers found that the malware executable file spreads in two ways. First is via malicious ads online, and second by impersonating to be legitimate free software available on file-hosting services.
If any of those devious presentations works once it is downloaded and executed, Razy disables the integrity check for installed browser extensions and blocks automatic updates for the targeted browser; then it installs a malicious browser extension.
The malicious extension can then search for addresses of the victim’s cryptocurrency wallets on websites and replace them with the hacker’s wallet details. Moreover, it can also spoof images of QR codes on currency exchanges that point to wallets, which make mobile money transfer easier.
The bad deeds don’t stop here, in fact, it gets even worse because Main.js can also modify the web pages of the EXMO and YoBit cryptocurrency exchanges in order to display fake messages to the user about ‘new features’ in the corresponding exchanges and offers to sell cryptocurrency at above-market rates.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Despite stealing victims cryptos Razy can also show on purpose malicious ads on popular sites to victims.
For example, if a victim visits Wikipedia, the malware will add a banner containing a request for donations to support the online encyclopedia, which has the hackers’ wallet addresses and bank details.
It can also hit Telegram.org uses; everytime someone access the app site, they will see an offer to buy Telegram tokens at an incredibly low price.
Experts are saying that the ingenious Razy has different infection scenarios for each browser type.
For Firefox, the trojan installs a malicious browser extension called Firefox Protection.
For Yandex and Chrome: Razy edits the browser’s “browser.dll” or “chrome.dll” files in the application libraries in order to disable extension integrity checks. Then, it renames the original as browser.dll or chrome.dll, respectively, and leaves them in the same folder. After this, it installs an extension called Yandex Protect in Yandex and In Chrome, it infects different existing legitimate extensions.
The main element of the infection is the main.js code which makes a call to the script in every extension for each page visited by the victim.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.