350 Browser Extensions with Adware Target Russian Users
Security experts at Zimperium have discovered a malicious campaign called ABCsoup, which involves the distribution of over 350 browser extensions for Google Chrome, Opera, and Mozilla Firefox infected with adware. According to researchers, all of these extensions were disguised as the official version of Google Translate and specifically targeted Russian users.
The exact method of malware distribution remains unclear, but the fake extensions are not available in official browser stores. It appears they are spread through social engineering tactics and Windows executable files, allowing them to bypass most security solutions.
Interestingly, the malware assigns itself the same extension ID as the legitimate Google Translate extension—aapbdbdomjkkjkaonfhkkikfgjllcleb. This tactic is likely intended to convince victims that they have installed the real extension. If the target user already has the official Google Translate extension installed, the malware replaces it with a malicious version that has a higher version number (for example, 30.2.5 instead of 2.0.10).
All extensions identified in the ABCsoup campaign are designed to interact with pop-up windows, collect personal information (for delivering targeted ads), fingerprint users, and inject malicious JavaScript. This JavaScript can later act as spyware, intercepting keystrokes and tracking browser activity. The injected scripts target popular sites such as YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly Znanija, Kismia, and rollApp.
Additionally, researchers note that another key goal of ABCsoup is to collect data from users of the social networks Odnoklassniki and VKontakte. The extensions search for these social networks among the open browser tabs and, if found, collect data such as names, surnames, dates of birth, and more, then transmit this information to a remote server.
Zimperium attributes this campaign to a “well-organized group of Eastern European and Russian origin” that is focused on Russian users. “This malware is specifically designed to attack users of all types and to collect information. The injected scripts can easily be used for more malicious behavior, including keylogging and data exfiltration,” the experts warned.