A security researcher has discovered an odd malware campaign flooding Twitter. The threat actors have spread various images including malicious QR codes on Twitter that download malicious Chrome extensions.
Malicious QR Codes On Twitter
Elaborating on the details in a post, Karsten Hahn described how multiple researchers noticed QR codes flooding Twitter to spread malware. Upon further investigation the matter made him discover that those QR codes target users with a malicious Chrome extension.
Briefly, these QR codes typically catch victims’ attention via lucrative images. The images boast ads for downloading pirated software as an ISO file to ensure that a victim would scan the QR code.
However, this ISO file never delivers the claimed software instead serves as a malware loader. It consists of two components; a _meta.txt containing a PowerShell script and a downloader.exe. Regarding how these components function, the post states,
The _meta.txt contains a PowerShell script, which is encrypted with a substitution cipher. The downloader.exe is a .NET assembly. It has a big dictionary with the substitution alphabet to decrypt the PowerShell script in _meta.txt. It adds the PowerShell commands as a scheduled task named ChromeTask which runs every ten minutes.
The PowerShell script specifically downloads the malicious Chrome extension that exhibits stealthy properties to escape uninstalling. For instance, attempting to visit the “chrome://extensions” path would redirect to “chrome://settings”.
Once installed, the malicious extension doesn’t run any damaging malware, attempting to evade detection. But in the background, it performs session hijacking and displays intrusive ads.
Nonetheless, this apparently harmless infection may evolve into a dangerous one. As Hahn stated,
For now the only purpose is getting revenue via unsolicited advertisements and search engine hijacking. But loaders often do not stick to one payload in the long run and malware authors improve their projects over time.
Therefore, users, particularly Twitter users, should steer clear of such images or files displaying QR codes no matter how tempting they may appear.