Computer techologies

Malware extensions for Chrome infected more than 100,000 users

Analysts at Radware found seven malicious extensions in the official Chrome Web Store directory , which masqueraded as known legitimate solutions, but in fact abducted the credentials of users, minilanded the crypto currency, and were engaged in a clickfrog. According to experts, in total, the extensions were installed more than 100,000 times, and in one case the malware penetrated the computers of some “well-protected network” belonging to an unnamed large producer. Dangerous extensions have the following names:

  • Nigelify;
  • PwnerLike;
  • Alt-j;
  • Fix-case;
  • Divinity 2 Original Sin: Wiki Skill Popup;
  • Keeprivate;
  • iHabno

Researchers write that all the extensions were the work of one hacker group, housed in the Chrome Web Store at least from March 2018 and were distributed primarily using social engineering and links in Facebook. Such links brought victims to a fake YouTube page that requested the installation of an extension.


Workflow After installation, the extension performed malicious JavaScript, turning the infected machine into a new botnet link. The victim was abducted with credentials from Facebook and Instagram accounts, and then this information was used to further spread the malicious code among the victim’s friends.

In addition, malware forced infected computers to extract crypto-currencies Monero, Bytecoin and Electroneum. According to Radware, only in the last six days the attackers earned about $ 1000 in this way.

At the same time, experts note that Google does not sit idly by. Thus, four of the seven detected extensions were seen and removed from the catalog by the company’s specialists themselves, despite the use of off-screening obfuscation and other masking techniques. Unfortunately, Nigelify and PwnerLike extensions are still active.