The article discusses the challenges in detecting malicious browser extensions that disguise themselves as legitimate utilities. Once installed, these extensions implement harmful actions via a PowerShell script, which attempts to gain administrator permissions to run its payload. If it doesn't succeed, it creates a new System32 directory to execute malicious files. The script contains base64 encoded strings of DLLs and a Trojan executable, and it cleverly circumvents detection by writing these to a directory ignored by security measures like Windows Defender.
Initial detection of malicious extensions is complicated because they mimic legitimate tools to mask their intentions. After installation, the user receives the expected utility.
The PowerShell script attempts to run a malicious payload with administrator permissions. If it fails, it creates its own System32 directory to execute further malicious actions.
Inside the PowerShell script, DLLs and a Trojan executable are encoded in base64. The script decodes and writes the Trojan to an unmonitored directory.
The malicious script uses creative methods to bypass security measures, such as excluding its new directory from Windows Defender, making detection extremely challenging.
Collection
[
|
...
]