HIGHLIGHTS
- Razy Trojan was discovered by Kaspersky Labs
- It is able to spoof Google and Yandex search results
- It's main aim is to steal cryptocurrency
Kaspersky Lab has discovered a new 'razi' trojan that states that it targets search results to attack cryptocurancity wallet and targets browser extensions. It found a malicious program called Trojan.Win32.Razy.gen in an executable file, which spreads through ad block on websites and is distributed through free file-hosting services under the guise of legitimate software. It primarily engages in theft of cryptocurrency.
Rozy Trojans are asked to search the address of cryptocurrence pockets on websites and replace them with the threat address of the bully; Poor images of the QR code pointing to the wallet; Modify webpages of cryptocycurrency exchanges, and even spoil Google and Yandex search results.
Casparski claims that Google Chrome can infect extensions of Mozilla Firefox and Yandex browsers, although it has different transition scenarios for each browser type. For Firefox, Trojan installs an extension named 'Firefox Protection', it installs an extension called Yandex Protect on the Jandex Browser, and in Chrome, the resizer modifies the contents of the folder where the Chrome Media Router extension is located.
The search trojan is linked to the search link cryptocyurrency and cryptocyurrency exchanges, or just music downloading or torrent, which are added to pages, which cause search results by showing fake links. After the user's system is infected, the Trojan adds a banner that allows donations to support Wikipedia, whenever the user visits the site. In place of bank details, the wallet address of cyber criminals is used. The original Wikipedia banner is asking for donations (if present) has been removed. Kasparsky noted that when users go to telegram.org on the webpage, they will be offered an incredibly low price offer to buy telegram tokens.
Similarly, when users visit pages of the Russian social network Vkontakte (VK), the Trojan adds an advertisement banner to it. If a user clicks on the banner, they are redirected to phishing resources (located on the domain ooo-ooo [.] Information), where they later motivated to pay a little bit of money to build the weight of the money is done.
Kaspersky also listed the address of the wallet found in the analysis scripts, so that the users can be more aware:
Rozy Trojans are asked to search the address of cryptocurrence pockets on websites and replace them with the threat address of the bully; Poor images of the QR code pointing to the wallet; Modify webpages of cryptocycurrency exchanges, and even spoil Google and Yandex search results.
Casparski claims that Google Chrome can infect extensions of Mozilla Firefox and Yandex browsers, although it has different transition scenarios for each browser type. For Firefox, Trojan installs an extension named 'Firefox Protection', it installs an extension called Yandex Protect on the Jandex Browser, and in Chrome, the resizer modifies the contents of the folder where the Chrome Media Router extension is located.
The search trojan is linked to the search link cryptocyurrency and cryptocyurrency exchanges, or just music downloading or torrent, which are added to pages, which cause search results by showing fake links. After the user's system is infected, the Trojan adds a banner that allows donations to support Wikipedia, whenever the user visits the site. In place of bank details, the wallet address of cyber criminals is used. The original Wikipedia banner is asking for donations (if present) has been removed. Kasparsky noted that when users go to telegram.org on the webpage, they will be offered an incredibly low price offer to buy telegram tokens.
Similarly, when users visit pages of the Russian social network Vkontakte (VK), the Trojan adds an advertisement banner to it. If a user clicks on the banner, they are redirected to phishing resources (located on the domain ooo-ooo [.] Information), where they later motivated to pay a little bit of money to build the weight of the money is done.
Kaspersky also listed the address of the wallet found in the analysis scripts, so that the users can be more aware:
- Bitcoin: '1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L', '1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq', '3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY', '1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj', '35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC', '34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ'.
- Ethereum: '33a7305aE6B77f3810364e89821E9B22e6a22d43′, '2571B96E2d75b7EC617Fdd83b9e85370E833b3b1′, '78f7cb5D4750557656f5220A86Bc4FD2C85Ed9a3'.
The report says that the total incoming transactions on all these wallets amounted to approximately 0.14 BTC plus 25 ETH, at the time of writing.
No comments:
Post a Comment