Since its launch in 2025, cybersecurity researchers have shed light on a new campaign targeting Brazilian users, infecting users with a chrome-based web browser and malicious extensions to Siphon user authentication data.
“Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of successful attacks,” Positive Technologies Security Researcher Klimentiy Galkin said in the report. “The attacker used malicious extensions for Google Chrome, Microsoft Edge, and Brave Browser, as well as Mesh Agent and PDQ Connect agents.”
A Russian cybersecurity company tracking its activities under the name Operation Phantom Enigma said the malicious expansion has been downloaded 722 times from Brazil, Colombia, the Czech Republic, Mexico, Russia and Vietnam. Up to 70 unique victim companies have been identified. Several aspects of the campaign were disclosed in early April by researchers going with the alias @Johnk3r in X.
The attack starts with a phishing email disguised as an invoice that triggers a multi-stage process to deploy a browser extension. This message encourages recipients to download files from embedded links or to open malicious attachments contained within the archive.
The files reside in the batch scripts that are responsible for downloading and launching PowerShell scripts. This will perform a series of checks to determine whether it is running in a virtualized environment and whether a software called Diebold Warsaw exists.
Developed by Gas Tecnologia, Warsaw is a security plugin used to protect banking and e-commerce transactions through Brazil’s internet and mobile devices. It is noteworthy that Latin American bank Trojans like Casbaneiro incorporate similar features, as disclosed by ESET in October 2019.
The PowerShell script is designed to disable User Account Control (UAC) and configures the above batch script that starts automatically upon system restart to set up persistence, establish a connection with the remote server and wait for more commands.
Here is a list of supported commands:
Ping-Responds to send a “Pong” to send a heartbeat message to the server – Stop the current scripting process on the victim’s system Remosekl – Uninstall script check – About the existence of a malicious browser extension Windows registry, whether okext exists, or if noext is not present, if noext is found, then the extension is equipped. Apps and extensions that can be installed without user interaction
The detected extensions (identifiers nplfchpahihhiheejpjmodggckakhglee, ckkjdiimhlanonhceggkfjlmjnenpmfm, and lkpiodmpjdhhhkdhbnncigggdgdfli) have already been removed from the chrome webstore.
Other attack chains exchange initial batch scripts for the Windows installer and Inno setup installer files that are used to provide extensions. The Per Posional Technologies add-on is equipped to run malicious JavaScript code if the Active Browser tab corresponds to a web page associated with Banco do Brasil.
Specifically, it sends a user’s authentication token and a request to the attacker’s server, receives the command and either loads it to the victim (warten or schlieben_warten) and displays the load screen, or provides a malicious QR code on the bank’s web page (code_zum_lesen). The presence of German words for the command could either imply the location of the attacker or suggest that the source code has been reused from somewhere.
In what appears to be an effort to maximize the number of potential victims, it was found that unknown operators would leverage invoice-related lures to distribute installer files and deploy remote access software such as the MeshCentral agent and the PDQ Connect agent in place of malicious browser extensions.
Positive Technology also stated that it has identified an open directory belonging to the attacker’s auxiliary script that contains a link that contains a parameter that contains an agingmacybersecurity identifier (“/about.php?key=enigmacybersecurity”).
“This study highlights the use of fairly unique techniques in Latin America, such as malicious browser extensions and distribution via the Windows installer and the Inno setup installer,” says Galkin.
“The files in the attacker’s open directory show that the infected company is necessary to carefully distribute emails. However, the main focus of the attack remained on regular Brazilian users. The attacker’s goal is to steal authentication data from the victim’s bank account.”
Source link
