• Home
  • Internet
  • Internet News
  • New Razy Trojan Spoofs Search Results, Infects Browser Extensions to Steal Cryptocurrency: Kaspersky

New Razy Trojan Spoofs Search Results, Infects Browser Extensions to Steal Cryptocurrency: Kaspersky

Share on Facebook Tweet Share Reddit Comment
New Razy Trojan Spoofs Search Results, Infects Browser Extensions to Steal Cryptocurrency: Kaspersky

The new Trojan Razy can infect Google Chrome, Mozilla Firefox and Yandex Browser

Highlights

  • Razy Trojan was discovered by Kaspersky Labs
  • It is able to spoof Google and Yandex search results
  • It's main aim is to steal cryptocurrency

Kaspersky Lab has discovered a new 'Razy' Trojan that it says spoofs search results and targets browser extensions in a bid to attack cryptocurrency wallets. It found a malicious program called Trojan.Win32.Razy.gen in an executable file that spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software. It mainly indulges in theft of cryptocurrency.

Razy Trojan is said to search for addresses of cryptocurrency wallets on websites and replace them with the threat actor's wallet addresses; spoof images of QR codes pointing to wallets; modify the webpages of cryptocurrency exchanges, and also spoof Google and Yandex search results as well.

Kaspersky claims that Razy can infect extensions of Google Chrome, Mozilla Firefox, and Yandex Browser, though it has different infection scenarios for each browser type. For Firefox, the Trojan installs an extension called 'Firefox Protection', on the Yandex browser it installs the extension called Yandex Protect, and in Chrome Razy modifies the contents of the folder where the Chrome Media Router extension is located.

The Razy Trojan is said to spoof search results by showing fake links that are added to pages if the search request is connected with cryptocurrencies and cryptocurrency exchanges, or just music downloading or torrents. After the user's system is infected, the Trojan adds a banner containing a request for donations to support Wikipedia, whenever the user visits the site. The cybercriminals' wallet addresses are used in place of bank details. The original Wikipedia banner asking for donations (if present) is deleted. Kaspersky notes that when the user visits the webpage telegram.org, they will see an offer to buy Telegram tokens at an incredibly low price.

Similarly, when users visit the pages of Russian social network Vkontakte (VK), the Trojan adds an advertising banner to it. If a user clicks on the banner, they are redirected to phishing resources (located on the domain ooo-ooo[.]info), where they are prompted to pay a small sum of money now to make a load of money later on.

Kaspersky also listed the wallet addresses detected in the analysed scripts, for users to be more aware:

  • Bitcoin: '1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L', '1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq', '3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY', '1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj', '35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC', '34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ'.
  • Ethereum: '33a7305aE6B77f3810364e89821E9B22e6a22d43′, '2571B96E2d75b7EC617Fdd83b9e85370E833b3b1′, '78f7cb5D4750557656f5220A86Bc4FD2C85Ed9a3'.

The report says that the total incoming transactions on all these wallets amounted to approximately 0.14 BTC plus 25 ETH, at the time of writing.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Kaspersky Labs, Trojan, Razy Trojan
Tasneem Akolawala When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She ... More
Reliance Jio Led Overall Handset Market in Q4 With Xiaomi Holding Smartphone Lead: Counterpoint
Overwatch Lunar New Year Event 2019: All Skins, Emotes, and Intros Listed
 
 

Advertisement

 

Advertisement