The Keksec threat actor has been linked to a previously undocumented malware strain, which has been observed in the wild masquerading as an extension for Chromium-based web browsers to enslave compromised machines into a botnet.
The extension "not only steals the information available during the browser session but can also install malware on a user's device and subsequently assume control of the entire device," Zimperium researcher Nipun Gupta said in a new report.
This attack chain, in turn, exploits flaws in web browsers such as Mozilla Firefox (CVE-2019-11708, CVE-2019-9810), Internet Explorer (CVE-2014-6332, CVE-2016-0189), and Edge (CVE-2016-7200) to escape the browser sandbox and deploy malware on the system.
The script further acts as a keylogger and a conduit for launching additional commands received from a remote server, allowing it to steal clipboard data, browser cookies, and mount layer 7 DDoS attacks against any domain.
Zimperium attributed the malware to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), which has a history of developing a wide range of botnet malware, including EnemyBot, for crypto mining and DDoS operations.
The connection to Keksec comes from overlaps in the domains that were previously identified as used by the malware group.
The disclosure comes over three months after Zimperium discovered a malicious browser add-on dubbed ABCsoup that posed as a Google Translate tool to strike Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
"Users should be trained on the risks associated with browser extensions outside of official repositories, and enterprises should consider what security controls they have in place for such risks," Gupta said.
Update: Following the publication of the story, a Google spokesperson shared the below statement with The Hacker News -
"We always recommend users update to the latest version of Google Chrome to ensure they have the most up-to-date security protections. Users can also stay better protected from malicious executables and websites by enabling Enhanced Protection in the privacy and security settings in Chrome. Enhanced Protection automatically warns you about potentially risky sites and downloads and inspects the safety of your downloads and warns you when a file may be dangerous."