According to the published report by Kaspersky Lab, a security lab, a Trojan called Razy is stealing cryptocurrencies from its victims as a browser add-on. This Trojan manipulates the results of search engines of the users seeking for a wallet for their cryptocurrencies.
This malware is transferred to the victim’s system through malvertising and deceiving the user as a functional software and infects it. The attacked browsers are Mozilla Firefox, Google Chrome, and Yandex. Razy is added to the browser as an add-on and inactivates its automatic update as well as integrity checking features. For instance, Razy Trojan edits chrome.dll to inactivate integrity checking feature, and so do registry keys of the browser to inactivate automatic update feature.
According to the published reports, an add-on called Chrome Media Router is installed on Google Chrome browser, the same takes place for an add-on called Firefox protection on Firefox browser and so is Yandex Protect add-on on Yandex browser all by Trojan.
The basic activity of this malware is done via a .js script. This address code of cryptocurrency wallets replaces QR codes and web pages of cryptocurrency exchange centers with the cases controlled by the attackers.
Razy Trojan can manipulate research results showed to the user on the infected browser. For example, through showing charming services and auctions, it convinces the user to enter his/her user account, despite being just an alluring show, and accommodates the attackers the user’s password.
The following massages are frequently seen in the infected browser’s banners:
• Invest a bit now, earn a million later
• Get paid for an online survey
Besides the above cases, the user observes a banner pointing to a grant to Wikipedia when visiting Wikipedia pages while it is not from Wikipedia and gives the wallet address to the attacker.
Razy downloads and runs other .js files to increase its capabilities.
Related wallets to these hackers had 0.14 Bitcoins and 25 Ethereums at the time of this report.
Kaspersky Lab has published the following advices to avoid infection by this Trojan:
• Use safe anti-viruses; Keep them update and scan your system regularly.
• Examine your browser’s add-ons and inactivate your dubious cases.
• Download and install your functional programs only from valid sources.