Razy Malware Attacks Browser Extensions to Steal Cryptocurrency

bitcoin theft razy malware

The malware targets victims in multiple, sneaky ways as they move around the web.


A Windows malware dubbed “Razy” has been uncovered that sports a toolbox of cryptocurrency theft and fraud tools. Razy works by weaponizing browser extensions in order to perpetrate a range of online scams on unwitting victims.

According to researchers at Kaspersky Lab, the trojan targets Google Chrome, Mozilla Firefox and Yandex Browser users. It’s an executable file that spreads in two ways. Those are via malicious ads online, or by purporting to be legitimate free software available on file-hosting services.

“In most cases that we’ve seen, the malware spreads via affiliate networks,” Victoria Vlasova, malware analyst at Kaspersky Lab, told Threatpost. “Downloaders are distributed from free file-hosting services under the guise of legitimate software. Users install it themselves. Then such downloader loads and installs different suspicious software and sometimes Razy. Free file-hosting services are often full of such kind of software.”

Once downloaded and executed, Razy disables the integrity check for installed browser extensions on the victim’s computer (and blocks automatic updates for the targeted browser); then, it sets about installing a malicious browser extension.

In the fourth quarter of 2018, Kaspersky Lab found Razy residing on about 37,000 computers.

“The malware targeted Russian-speaking users, therefore the most of detections are in Russia,” Vlasova said. “According to Kaspersky Security Network data in Q4 2018, Razy geography (the top 3 countries) consists of Russian Federation (72 percent), Ukraine (4 percent) and Kazakhstan (3 percent).”

Those behind Razy are accomplished scam artists, researchers said. The malware has an extensive bag of tricks for convincing online denizens to cough up funds for fake services, and it can also steal cryptocurrency – all via a weaponized extension.

For instance, it can search for addresses of the victim’s cryptocurrency wallets on websites and replace them with the attacker’s wallet details, the researchers said. The aptly named “findAndReplaceWalletAddresses” function specifically searches for Bitcoin and Ethereum wallets that the victim might use. The malware crawls visited web pages, including social media sites like Instagram and Russian language site OK.RU – but it doesn’t work on pages located on Google and Yandex domains.

Razy can also spoof images of QR codes on currency exchanges that point to wallets, which make mobile money transfer easier. When a user visits a page with a QR code hosted on GDAX/Coinbase Pro, EXMO or Binance – or when an element with src=’/res/exchangebox/qrcode/’ is detected on the webpage – its core malicious script (called main.js) substitutes a QR code that points to the threat actor’s wallet instead.

Main.js can also modify the web pages of the EXMO and YoBit cryptocurrency exchanges. “These scripts display fake messages to the user about ‘new features’ in the corresponding exchanges and offers to sell cryptocurrency at above-market rates,” the researchers explained. “In other words, users are persuaded to transfer their money to the cybercriminal’s wallet under the pretext of a good deal.”

And as if this weren’t enough, main.js also spoofs Google and Yandex search results, if the search request has to do with cryptocurrencies, cryptocurrency exchanges, music downloading or torrents.

“This is how an infected user is enticed to visit infected websites or legitimate cryptocurrency-themed sites where they will see [a scam message],” said the researchers.

Razy also shows malicious ads on popular sites to infected users. When the user visits Wikipedia for instance, main.js adds a banner containing a request for donations to support the online encyclopedia.

“The cybercriminals’ wallet addresses are used in place of bank details,” according to the analysis. “The original Wikipedia banner asking for donations (if present) is deleted.”

Similarly, when the user visits the Telegram.org, they will see an offer to buy Telegram tokens at an incredibly low price – with any purchases going straight to the cybercriminals. And when users visit the pages of Russian social network Vkontakte (VK), the trojan adds an advertising banner that redirects users to a scam site “where they are prompted to pay a small sum of money now to make a load of money later on,” according to the analysis.

Razy has different infection scenarios for each browser type.

For Firefox, the trojan simply installs a malicious browser extension called Firefox Protection.

For Yandex and Chrome, the process is a bit more in-depth: Razy edits the browser’s “browser.dll” or “chrome.dll” files in the application libraries in order to disable extension integrity checks. Then, it renames the original as “browser.dll_” or “chrome.dll_”, respectively, and leaves them in the same folder.

In the case of Yandex it then installs an extension called Yandex Protect. In Chrome, it infects different existing legitimate extensions: For instance, the Chrome Media Router is present on all devices where the Chrome browser is installed, although it is not shown in the list of installed extensions. During some observed infections, Razy modifies the contents of the folder where the Chrome Media Router extension is located in order to inject malicious code.

The malicious scripts it uses are the same, regardless of infection routine or which browser is being targeted, according to Kaspersky Lab researchers.

“Irrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js,” the team noted in a post on Thursday. “The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.”

The scripts firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js are legitimate: “They belong to the Firebase platform and are used to send statistics to the malicious actor’s Firebase account,” researchers noted.

Intermingled with these are the malicious bgs.js and extab.js scripts, which are obfuscated with the help of the tool obfuscator.io.

“The former sends statistics to the Firebase account; the latter (extab.js) inserts a call to the script i.js with parameters tag=&did=&v_tag=&k_tag= into each page visited by the user,” according to the report. This i.js script modifies the HTML page, inserts the fake advertising banners and video clips, and adds the scam ads into Google search results.

The main element of the infection is the aforementioned main.js code however – a call to the script is added by the extension to each page visited by the user.

Vlasova told Threatpost that the combination of approaches employed by Razy is notable. “Malicious extensions themselves are not a new threat. We have seen their distribution by malicious executables before. The scam activity and cryptowallets replacing activity are also not a new case, but the combination of these activities in a single threat is quite unique.”

This post was updated Jan. 30 at 11 a.m. ET, to reflect additional input from a Kaspersky Lab analyst. 


Suggested articles