Cybersecurity experts have uncovered a widespread hacking campaign targeting Google Chrome and Microsoft Edge.
Criminals are posting malicious websites on the popular search engines, which masquerade as legitimate software for sites like YouTube and Roblox.
When victims download the fake software, they allow bad actors to access login credentials for sensitive data and other personal information that could include banking details.
Experts explained that this malware is particularly dangerous because it can’t be removed by simply deleting the file because it will reinstall each time the PC device restarts, but have identified specific extensions used in the attacks.
At least 300,000 people have fallen victim to the nationwide malware attack since 2021 which can steal user’s browser search history to capture login credentials for sensitive data like banking information
At least 300,000 people have fallen victim to the nationwide malware attack since 2021, according to ReasonLabs that uncovered the attack.
Kobi Kalif, CEO and co-founder of ReasonLabs, said: ‘This newly discovered malware campaign is just the latest example of how cybercriminals are targeting consumers in the digisphere.
‘Our research team remains committed to hunting these threats and providing our users with the tools, knowledge, and information to stay protected online.
‘We alerted Google and Microsoft as soon as we became aware of the issue and they are taking the appropriate measures.’
People have unwittingly downloaded the software thinking they’re installing a Chrome extension, but are instead uploading a PowerShell Script to the computer.
PowerShell is Microsoft’s version of a command-line tool for Windows, which are programs designed for more experienced coders to program their own computer’s core code directly.
The hackers’ fake error messages encourage unwitting users to copy and paste raw code and then install it as a ‘fix’ by running or ‘executing’ that code in PowerShell
This downloads what’s called a ‘next-stage payload,’ which connects the hacker’s remote server to the victim’s computer to modify the Window Registry and force Chrome and Edge to fully install the malicious software.
Once added to the PC device, ‘the extension cannot be disabled by the user, even with Developer Mode ‘ON,” ReasonLabs said.
Developer Mode is used to protect people from installing harmful software on their computers to reduce the possibility of becoming the target of a cyberattack.
The hackers can then steal user queries from sites like Ask.com, Bing and Google, giving them access to the user’s data.
DailyMail.com has reached out to Google and Microsoft for comment.
Microsoft Edge users have been compromised by installing malicious software extensions on their computers that can be increasingly difficult to remove
How to identify the malware
Although the name of the malware varies, users can identify it by its path name, which says: ‘c:/windows/system32’ and the PowerShell script that ends in ‘.ps1.’
To access this, users should open the ‘Task Scheduler’ from the start menu and open the library option to reveal all the downloaded ‘tasks’ that were installed on the PC.
To identify the file details and find the path name, the user should click on ‘actions’ followed by the ‘file details’ option.
How to remove the malware
ReasonLabs said ‘newer versions of the script remove browser updates.’
Fortunately, if you don’t want to update to a newer version of Chrome or Edge, there is a way to manually remove the malware from your device to ensure it’s completely off the PC, although it is a lengthy process.
After identifying which tasks are the malware, users need to remove the registry keys that are forcing the computer to reinstall the software and keep it running in the background.
Select the ‘registry editor’ option from the start menu and click on the Chrome extension Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist from the right panel and select delete.
Users will need to also delete the extension: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist from the registry key.
These steps will need to be repeated for the Edge extension as well by deleting the registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist.