Over 300,000 Chrome and Edge Users Targeted by Trojan Malware

Over 300,000 users of Google Chrome and Microsoft Edge have been affected by Trojan malware extensions that refuse to be deleted. The ReasonLabs Research Team was the first to put out the malicious browser extensions alert on the “polymorphic malware campaign that forcefully installs extensions on endpoints.” The research team found that the trojan malware imitates download websites to popular online apps and services like Roblox FPS Unlocker, VLC, and YouTube, tricking users into downloading the files. The files then invade the system and schedule tasks of their own. No matter how far ahead we move with technology, malicious attempts at attacking users appear to be a permanent threat.

Understanding the New Chrome and Edge Trojan Malware Making the Rounds in 2024

The recent browser extension malware threat is not employing any new technology but the reason it is harmful is the simplicity of its concept and the ease with which it tricks users into downloading it. The trojan malware relies on malvertising, which refers to a malicious attack that relies on spreading the threat into online advertising networks that look legitimate. These sites resemble the webpages for popular services, which causes users to let their guard down and download the file without hesitation.

Although the new Trojan malware gained notoriety in 2024, there is evidence to suggest earlier versions of it have been around since 2021. Chrome and Edge are usually very effective at eliminating malware extensions, but there are still some that manage to stay under the radar. According to the study, “Micro Search” was a Chrome extension that likely came from the same developer and was available until April, and “yglSearch” is still available online. Threats to online security can arise anywhere. 

How Do The Chrome and Edge Malware Extensions Work?

Once the download files are clicked on, the Chrome and Edge malware extensions make no more attempts to deceive the users and download the target content. Instead, once the download begins, the program creates a scheduled task on the user’s computer with a name designed to look like a real system task that won’t trigger any alarm bells on the device.

The scheduled tasks run like a PowerShell script downloaded to the system32 folder where important PC files are stored. The PowerShell script contacts a remote server and brings in a payload which is the heart of the malicious software that is then downloaded and executed in the machine. This payload supports different kinds of malicious activities, from stealing user data to pushing adware on the device.

What Does the Browser Extension Malware Threat Mean For the User?

Once the program is downloaded, the malware forces the installation of Chrome and Edge malware extensions that serve their purpose. The extensions then proceed to steal search queries when users look for anything on their browser, rerouting it through the attacker’s servers. The process is quick and interferes with future interactions with the browser, all while going to great lengths to prevent the user from detecting anything that is amiss, hiding it from the list of extensions page as well.

According to Reason Labs, the extension cannot be disabled by a user even when they go through the developer mode to try eliminating the file and regain control of their browser. It’s also of note that newer versions of the extension go as far as to block and remove browser updates, which means upgraded versions of the browser code cannot combat the problem easily either. 

Google and Microsoft have been alerted to the issue but there are no official updates on what the companies are doing to combat the spread of this malware but it does not appear to be a problem where they will settle for a lax approach. 

What to Do If You’ve Been Affected by the Chrome or Edge Trojan Malware?

ReasonLabs reports that simply deleting and redownloading the browser will not resolve the issue as the main files at fault will still remain installed on the PC. To fully address the problem, the scheduled task that keeps the malware going has to be eradicated along with the registry keys. The report provides a step-by-step guide to deleting all the relevant system files and PowerShell script tagged with the “.ps1” code. The instructions on removing the registry keys and malware are easy enough to follow but ensure you delete the correct files to avoid any issues with the system functioning. 

The guide should be a useful tool to address this particular malicious browser extension alert, but caution is recommended for all future browsing. We have all been told not to download files from unknown destinations, but most are guilty of looking for hacked versions of popular apps and games to bypass the paywall or indulge in an ad-free experience. This makes it easier for websites to parade around as the real deal for those still looking for a legitimate website, or provide users with a free alternative that ends up costing more in the long run. 

Users are also often on the lookout for browser extensions that can make their online experience much smoother. This leaves them vulnerable to extensions that pretend to offer a service while doing something entirely different. 

It is generally good practice to review any extensions you plan on enabling. Read what other users have to say and go over the permissions carefully before installing anything. You will also benefit greatly from relying on an antivirus that can attempt to catch and neutralize these malware threats early on.