ParaSiteSnatcher How Malicious Chrome Extensions Target Brazil

ParaSiteSnatcher is a malicious Chrome extension specifically designed to target users in Latin America, with a particular focus on Brazil. This extension has been crafted to exploit the capabilities of the Google Chrome API, allowing it to monitor, intercept, and exfiltrate sensitive data from victims. Its modular framework consists of highly obfuscated components, showcasing the sophistication of its design.

Key characteristics of ParaSiteSnatcher include:

Targeted Browsers: While it primarily targets Google Chrome, it is also designed to function on other Chromium-based browsers like Microsoft Edge, Brave, and Opera, and potentially compatible with Firefox and Safari.

Capabilities: Once installed, ParaSiteSnatcher leverages extensive permissions granted through the Chrome extension. This enables the malware to manipulate web sessions, web requests, and track user interactions across multiple tabs. This is facilitated using the Chrome tabs API.

Data Exfiltration: The framework of ParaSiteSnatcher allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources. This includes the ability to intercept and exfiltrate all POST requests containing sensitive data.

Targets: The primary targets of this malicious extension include users' personal information, with a significant focus on banking websites and payment systems, indicating a financial motivation behind the attacks.

The discovery of ParaSiteSnatcher underlines the growing trend of attackers using seemingly legitimate extensions as a vector for sophisticated cyber attacks. This serves as a reminder of the importance of scrutinizing extensions and the permissions they request, particularly in regions like Latin America where such targeted attacks are becoming more prevalent.

IoC

URL

• https://ucee667c79a6c55d864febd411be.dl.dropboxusercontent.com/cd/0/get/CGJ3qwC1u0jLr4CMzA6xZ77B9wEwh0nsM6QbQmwau3W0r-QUrhwEOFMEtcKTaPiNvaz-wngORZmw9w_Bc0ljndJu1OFJJa-1qoI66JNdBmu8fa9dNvM64fbOYZohfqjDQpHDQbkFXU7ffTWOXkk8ZlEk/file?dl=1
• https://uc8bf39dfd51f19eca022ff937cc.dl.dropboxusercontent.com/cd/0/get/CGra8cbuRwTG62ccNRWQK3CHk96XzuTfm16q2nC1og5CiCXTPrwXZtf0TTJ3u6QelROuT3GllV05RL60fow_mvq9BpmNUeM0f6c1tUpdVEVYS3KaTHf-At7aLzI6ET-6MxKFT2NlOE9tgzXNEMIy3Ouy/file?dl=1
• https://uccbf6a90286e6acc2a790729260.dl.dropboxusercontent.com/cd/0/get/CGqsvrqOuB4FhGVeZWMyQmSofO8uNJ8EV_sB9CypG92ekXY38jFAv9xQxx7QHpViLjUiEO7JzJ_eQurMhVA9ptRY0qTFFHQC0PkKvO64jHHju7RjYSIJo9vkJkoN7l5HPojdhpe-rLIy1U_oZboMSkgH/file?dl=1
  
• http://www.dropbox.com/scl/fi/8otjw9dhf4kpb7s5vzxdu/1698746809.zip?rlkey=1w2k81ure5hm9ut5owezxa2gg&dl=1
• http://www.dropbox.com/scl/fi/cx975utps1os4gw38q73b/1698022264.zip?rlkey=tqmsmhjonobx8ise21lp35601&dl=1

DOMAIN

• webgoalarm.online
• nonbrowm.com
• mnksystem.online
• backmnk.online

SHA256

• ec22d946dc9538100875b86d2f6035f3541f5e3f08698304b9591efeea7d09a2

TAGS

parasitesnatcher, malicious chrome extension, stealer

REFERENCES

• https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html#:~:text=ParaSiteSnatcher%3A%20How%20Malicious%20Chrome%20Extensions,3275%20words
• https://www.hivepro.com/threat-advisory/parasitesnatcher-a-silent-threat-to-latin-america/#:~:text=ParaSiteSnatcher%20is%20a%20malicious%20Google,compatibility%20with%20Firefox%20and%20Safari
• https://www.threatshub.org/blog/parasitesnatcher-how-malicious-chrome-extensions-target-brazil/#:~:text=Once%20installed%2C%20the%20extension%20manifests,content%20scripts%20that%20enable
• https://otx.alienvault.com/pulse/65607dfd5aa46bd47238155f