New Razy Trojan Spoofs Search Results, Infects Browser Extensions to Steal Cryptocurrency: Kaspersky

Kaspersky Lab has discovered a new 'Razy' Trojan that it says spoofs search results and targets browser extensions in a bid to attack cryptocurrency wallets. It found a malicious program called Trojan.Win32.Razy.gen in an executable file that spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software. It mainly indulges in theft of cryptocurrency.

Razy Trojan is said to search for addresses of cryptocurrency wallets on websites and replace them with the threat actor's wallet addresses; spoof images of QR codes pointing to wallets; modify the webpages of cryptocurrency exchanges, and also spoof Google and Yandex search results as well.

Kaspersky claims that Razy can infect extensions of Google Chrome, Mozilla Firefox, and Yandex Browser, though it has different infection scenarios for each browser type. For Firefox, the Trojan installs an extension called 'Firefox Protection', on the Yandex browser it installs the extension called Yandex Protect, and in Chrome Razy modifies the contents of the folder where the Chrome Media Router extension is located.

The Razy Trojan is said to spoof search results by showing fake links that are added to pages if the search request is connected with cryptocurrencies and cryptocurrency exchanges, or just music downloading or torrents. After the user's system is infected, the Trojan adds a banner containing a request for donations to support Wikipedia, whenever the user visits the site. The cybercriminals' wallet addresses are used in place of bank details. The original Wikipedia banner asking for donations (if present) is deleted. Kaspersky notes that when the user visits the webpage telegram.org, they will see an offer to buy Telegram tokens at an incredibly low price.

Similarly, when users visit the pages of Russian social network Vkontakte (VK), the Trojan adds an advertising banner to it. If a user clicks on the banner, they are redirected to phishing resources (located on the domain ooo-ooo[.]info), where they are prompted to pay a small sum of money now to make a load of money later on.

Kaspersky also listed the wallet addresses detected in the analysed scripts, for users to be more aware:

• Bitcoin: '1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L', '1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq', '3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY', '1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj', '35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC', '34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ'.
• Ethereum: '33a7305aE6B77f3810364e89821E9B22e6a22d43′, '2571B96E2d75b7EC617Fdd83b9e85370E833b3b1′, '78f7cb5D4750557656f5220A86Bc4FD2C85Ed9a3'.

The report says that the total incoming transactions on all these wallets amounted to approximately 0.14 BTC plus 25 ETH, at the time of writing.