CP
cyberpings
Threat IntelHIGH

GlassWorm Attack - Fake Browser Extension for Surveillance

MWMalwarebytes Labs
GlassWormRemote Access Trojanbrowser extensionsupply chain attackinfostealer
🎯

Basically, GlassWorm is malware that pretends to be a browser tool to steal your data.

Quick Summary

A new malware called GlassWorm installs a fake browser extension for surveillance. Developers are primarily at risk, but the threat can spread widely. Stay vigilant and audit your software to protect against this attack.

The Threat

The GlassWorm attack is a sophisticated malware campaign that targets developers by hiding within developer tools. Once installed, it can steal sensitive data, install remote access malware, and even create a fake browser extension for surveillance. This malware is particularly dangerous as it can expand its reach, potentially leading to supply chain attacks that affect many users and companies.

Initially, GlassWorm is distributed through trusted developer channels, such as npm, GitHub, and PyPI. Developers unknowingly download malicious packages, which can either be newly created or altered versions of previously trusted packages. Once the package is installed, a preinstall script runs, fingerprinting the machine and determining whether to proceed with the infection based on the system's locale.

Who's Behind It

The attackers behind GlassWorm employ a multi-stage infection process. After the initial installation, the malware connects to the Solana blockchain to retrieve additional payloads. This method of using blockchain makes it harder to track and shut down the malware's command and control infrastructure. The second stage involves data theft, targeting sensitive information like browser extension profiles and credentials.

The third stage sees the malware fetching components that include phishing binaries aimed at users of popular cryptocurrency hardware wallets and a Remote Access Trojan (RAT). This RAT can steal browser credentials and install additional malicious extensions, further compromising the victim's system.

Tactics & Techniques

GlassWorm's stealthy nature makes it particularly insidious. It uses a distributed hash table (DHT) for command and control, allowing it to evade detection and maintain communication with its operators. The RAT can also force-install a fake Chrome extension that masquerades as a legitimate tool, such as “Google Docs Offline.” This extension can capture a wealth of information, including cookies, keystrokes, and screenshots.

Victims may not notice anything amiss unless they are vigilant about outgoing connections or new browser extensions. The potential for this malware to spread beyond developers to other users makes it a significant threat.

Defensive Measures

To protect against the GlassWorm attack, developers and users should adopt several strategies. First, prefer known-good versions of packages and be wary of sudden changes in ownership or major updates. Regularly auditing browser extensions and removing anything suspicious is crucial. Additionally, checking scheduled tasks and registry entries for unexpected items can help identify infections early.

Using real-time anti-malware solutions is also recommended to detect and block malicious activities. Awareness and proactive measures are key to mitigating the risks posed by this evolving threat.

🔒 Pro insight: GlassWorm's use of blockchain for command and control highlights a new trend in malware evasion tactics, making detection more challenging.

Original article from

Malwarebytes Labs

Read Full Article

Share

Related Pings

HIGHThreat Intel

RedLine Infostealer - Operator Extradited to US Custody

Hambardzum Minasyan, a key operator of the RedLine infostealer, has been extradited to the US. He faces multiple charges, including fraud and money laundering. This arrest highlights ongoing global efforts to combat cybercrime and protect sensitive data.

Help Net Security·
HIGHThreat Intel

Threat Intel - Weekly Bulletin on Emerging Cyber Threats

This week's bulletin reveals a mix of emerging cyber threats, including AI vulnerabilities and phishing kits. Criminals are adapting quickly, making it crucial to stay alert. Learn about the latest tactics and how to protect yourself.

The Hacker News·
HIGHThreat Intel

Threat Intel - Hackers Perfect Art of Deception Techniques

Cyberattackers are mastering the art of deception, using AI to imitate trusted users and activities. This trend poses significant risks to organizations, making detection crucial. Understanding these tactics can help defenders strengthen their security measures.

The Hacker News·
HIGHThreat Intel

Threat Intel - Tool Detects Stealthy BPFDoor Implants

A new tool has been released to detect BPFDoor implants in telecom networks. Red Menshen is behind these stealthy threats, which can compromise critical infrastructure. Identifying these implants is crucial for maintaining security in telecommunications.

Help Net Security·
HIGHThreat Intel

Triangulation Attacks - Coruna iOS Exploit Framework Evolved

The Coruna exploit kit is linked to the Triangulation espionage campaign, targeting iPhones with zero-click exploits. This evolution poses serious risks to modern Apple devices, making updates essential. Stay informed and protect your devices against these sophisticated threats.

BleepingComputer·
HIGHThreat Intel

BPFdoor - Advanced Threat Actor Targets Telecom Networks

An advanced China-linked threat actor has embedded sleeper cells in telecom networks. This poses a serious risk to national security and global communications. Rapid7 is actively notifying affected parties and providing guidance.

Rapid7 Blog·