Razy in search of cryptocurrency

[harlan4096]

Spoofing search results and infecting browser extensions

Last year, we discovered malware that installs a malicious browser extension on its victim’s computer or infects an already installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for the targeted browser. Kaspersky Lab products detect the malicious program as Trojan.Win32.Razy.gen – an executable file that spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software.
Razy serves several purposes, mostly related to the theft of cryptocurrency. Its main tool is the script main.js that is capable of:

• Searching for addresses of cryptocurrency wallets on websites and replacing them with the threat actor’s wallet addresses
  
  
• Spoofing images of QR codes pointing to wallets
  
  
• Modifying the web pages of cryptocurrency exchanges
  
  
• Spoofing Google and Yandex search results
  

Infection

The Trojan Razy ‘works’ with Google Chrome, Mozilla Firefox and Yandex Browser, though it has different infection scenarios for each browser type.

Mozilla Firefox

For Firefox, the Trojan installs an extension called ‘Firefox Protection’ with the ID {ab10d63e-3096-4492-ab0e-5edcf4baf988} (folder path: “%APPDATA%\Mozilla\Firefox\Profiles\.default\Extensions\{ab10d63e-3096-4492-ab0e-5edcf4baf988}”).

For the malicious extension to start working, Razy edits the following files:

• “%APPDATA%\Mozilla\Firefox\Profiles\.default\prefs.js”,
  
  
• “%APPDATA%\Mozilla\Firefox\Profiles\.default\extensions.json”,
  
  
• “%PROGRAMFILES%\Mozilla Firefox\omni.js”.
  

Full reading: https://securelist.com/razy-in-search-of...ncy/89485/