Chrome and Edge users infected with malicious browser extensions that steal your personal data — what to do now
Widespread malware campaign has been operating in the shadows for years
Hackers are using malicious browser extensions to infect both Google Chrome and Microsoft Edge with dangerous malware that can steal your personal data and leave your computer at risk of further attacks.
As reported by The Hacker News, this recently discovered malware campaign has been active since 2021 and so far, at least 300,000 Chrome and Edge users have fallen victim to it.
What makes this malware particularly dangerous is the fact that it can achieve persistence on infected PCs. This means that even if you delete the malicious extension, the malware will reactivate itself the next time you restart your computer.
Here’s everything you need to know about this malware campaign and how you can actually remove the malicious extension used in it once and for all.
Using malvertising to push fake sites
Like other malware campaigns, this one uses malvertising to trick unsuspecting users into downloading and installing risky software.
The hackers behind it have created lookalike sites that impersonate popular software and services like Roblox FPS Unlocker, YouTube, VLC media player, Steam or Keepass. While potential victims think they’re installing legitimate software or extensions, they’re actually downloading a trojan that installs the malicious extensions used by this malware.
The digitally signed malicious installers used in this campaign register a scheduled task on vulnerable PCs that then executes a PowerShell script which downloads and executes the next-stage payload from a hacker-controlled remote server.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
As part of this next-stage payload, the malware modifies an infected PCs Windows Registry to force the installation of Chrome and Edge extensions which are used for ad fraud by hijacking web searches on Google and Bing and then redirecting them through the hackers’ servers. To make matters worse, newer versions of this malware can even prevent browser updates from being installed, putting victims at risk of other attacks.
Fortunately, there is a fix but it does take some technical know how.
How to remove this malware from your PC for good
In a blog post detailing the findings of its security researchers, ReasonLabs provides further insight on how to properly remove this malware and the malicious extensions used in this campaign from your PC.
First things first, you need to remove the scheduled task from your PC. This is done by clicking on the Start Menu or pressing the Windows key on your keyboard and then searching for Task Scheduler.
Once Task Scheduler is opened, you need to click on the Task Scheduler Library to show all of the tasks on your PC. While the task name used by this malware varies, you can identify it by clicking on tasks, opening them and then clicking on Actions. In the table below Actions, you can look at their Details and here, you want to look for a path to “c:\windows\system32” and a PowerShell script or a file ending with “.ps1”. ReasonLabs notes that the task name will often be similar to the PowerShell script name. Once you’ve found the malicious task, right click on its name and then click Delete.
After this, you then need to remove the registry keys that are forcing the malicious extensions in your browser. This is more difficult but you can open the Registry Editor the same way that you did with the Task Scheduler. Keep in mind though that you shouldn’t mess with your computer’s registry unless you absolutely know what you’re doing. When in doubt, ask a friend for help or take your PC to a professional.
With the Registry Editor opened, you need to go to “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist”. In the right pane here, there will be a list of extensions with a numerical value as “Name” and Extension ID as “Data”. Then right click on the name and then click Delete. You also have to do this for this registry key as well: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist.”
As this malware affects both Chrome and Edge, you will need to repeat the same process for the Edge extensions at this path: “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist”.
While you could delete the malware files yourself, you’re much better off using one of the best antivirus software solutions to do it for you. If you do want to do so manually, you can find instructions at the end of ReasonLabs’ blog post linked above.
Going through the process of removing these malicious extensions and the malware they’ve dropped on your PC will likely be more than enough to ensure you think twice before downloading new software or browser extensions from untrustworthy sources. If you do want to download a new extension, do so from the Chrome Web Store or from the Microsoft Edge Add-on Store instead.
More from Tom's Guide
- Made by Google event live blog — Pixel 9, Pixel 9 Pro Fold and Pixel Watch 3 news
- 2.9 billion hit in one of the largest data breaches ever
- Google just fixed 46 security flaws, including an actively exploited zero-day
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.
-
Anthony Spadafora
So this malware only affects PCs due to how it uses Scheduled Tasks and tweaks to the Windows Registry to establish persistence on an infected computer. You should be fine using either Chrome or Edge on Mac. Just think of this piece as a good reminder to always be careful when looking for new software online or installing new extensions for your browser.steve907 said:What about Chrome and Edge on MacOS? What's the exposure there? -
ACochran have tried following your your instructions. When I tried deleting the Registry Editor but i cannot delete the issue. It wont allow me to. Is there another way this can be handled? Windows defender and combo cleaner arent doing it either. Combo at least picks up that there is issues with trojan and where. Im just having a hard time deleting them in edge and chrome. Have windows 11 and its updated regularlyReply