Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | BlackStink: How a Fake Chrome Extension Is Changing Banking Malware
Oct 20, 2025
5 Mins Read
Moon

BlackStink: How a Fake Chrome Extension Is Changing Banking Malware

The cybersecurity landscape is changing fast. While traditional banking malware relied on trojans and executable payloads, the BlackStink campaign represents a major evolution: attackers now weaponize the browser itself. Revealed by IBM X-Force, this malicious Chrome extension abuses user trust to perform real-time banking fraud across Latin America.

Critical Alert

BlackStink targets banking portals in Mexico, Brazil, Colombia, and Argentina. It operates silently inside the browser, bypassing antivirus and EDR solutions, and conducts unauthorized transactions from victim accounts.

Campaign Severity: HIGH

Campaign Overview Statistics

Primary Targets: Mexico, Brazil, Colombia, Argentina

Primary Targets: Mexico, Brazil, Colombia, Argentina
Affected Sectors: Banking, Retail, FinTech

Affected Sectors: Banking, Retail, FinTech

Threat Category: Browser-based Banking Malware

Threat Category: Browser-based Banking Malware

Questions & Answers: Understanding BlackStink

Q1: What Is the BlackStink Campaign?

BlackStink is a browser-based banking malware distributed as a Chrome extension named “G Docs – Servicio de almacenamiento de documentos en la nube” (Google Docs Cloud Storage Service). It targets financial institutions in Latin America, stealing credentials and performing unauthorized transfers inside victims’ browsers. Unlike typical malware, it doesn’t need executable files.

Q2: How Does the BlackStink Extension Work?

– Installs outside the Chrome Web Store
– Gains high-risk permissions like webNavigation, tabs, and scripting
– Detects visits to banking portals
– Injects cloned fake forms that look legitimate
– Replaces real transaction buttons with malicious ones
– Uses the victim’s session cookies to execute real transfers

Q3: Why Is It So Hard to Detect?

– Operates within trusted Chrome environment
– Uses obfuscated JavaScript code
– Maintains communication through a background service worker
– Uses realistic typosquatted domains
– Employs RSA keys to lock its ID and avoid detection

Q4: Which Industries and Regions Are Most at Risk?

Sectors: Banking, Retail, FinTech, Online Banking
Regions: Mexico, Brazil, Colombia, Argentina, other Spanish and Portuguese-speaking areas
The attack model is adaptable and can easily spread globally.

Q5: What Are the Five Attack Stages?

  1. Reconnaissance: Detects target banks and transaction pages
    2. Form Cloning: Replaces legitimate forms with fake ones
    3. Event Hijacking: Manipulates buttons and captures user actions
    4. Banking Limit Extraction: Finds account limits and theft potential
    5. Overlay & API Execution: Hides real interfaces and performs API-based fund transfers

Q6: How Do Cybercriminals Maintain Persistence?

They use background service workers and typosquatted command-and-control domains:
daemon.vulnmetricshub.com
cronjob.ciphertrackai.com
statistic.chromenalitycs.com
secur.itychromenetworc.com
sinc.safechromewebtool.com

Q7: What Security Weaknesses Does BlackStink Exploit?

– Lack of browser extension audits
– Missing allowlist policies
– Weak browser security enforcement
– Poor user awareness and training
– Users leaving banking sessions open

Q8: Which MITRE ATT&CK Techniques Are Involved?

– T1176 – Browser Extensions
– T1056.001 – Input Capture (Keylogging)
– T1552.001 – Unsecured Credentials
– T1566 – Phishing

Q8: Which MITRE ATT&CK Techniques Are Involved?

Q9: What Immediate Actions Should Organizations Take?

– Create extension allowlists and enforce via policy
– Audit installed extensions
– Block untrusted extensions
– Monitor registry and network activity
– Train users on phishing and browser security

Q10: How Can Threat Intelligence Help?

Threat intelligence tools detect and block browser-based attacks through:
– Early identification of malicious extensions
– Tracking of IoCs (domains, hashes, extension IDs)
– Real-time alerting
– Brand monitoring and phishing detection

Indicators of Compromise (IoCs)

Extension IDs

oeibmahkcodkjoicdohdhdiljbpgphcd
cioeengfhclkldbmjejfbdfplbophhhm
ogahgeimfaaohdjchpkichciopegebpn

C2 Domains

daemon.vulnmetricshub.com
cronjob.ciphertrackai.com
statistic.chromenalitycs.com
secur.itychromenetworc.com
sinc.safechromewebtool.com

Technical Deep Dive: Extension Architecture

The manifest.json file shows its intent to mimic Google Docs, but it has dangerous permissions (webNavigation, scripting, storage) and injects code into all pages (all_frames: true).
Its background script (background.js) handles persistence, data exfiltration, and command control.

Attack Flow Visualization (Summary)

  1. Victim installs fake Chrome extension.
  2. Extension gains browser permissions.
  3. Background service monitors user activity.
  4. Victim visits banking site.
  5. Fake forms replace real ones.
  6. Overlays hide true pages.
  7. API call executes unauthorized transfer.

Attack Flow Visualization (Summary)

Lessons Learned: Why Threat Intelligence Matters

The BlackStink campaign marks a turning point in browser-based attacks. It bypasses endpoint defenses by operating inside the browser. Traditional EDR and antivirus tools can’t see this layer.

Why Organizations Are Vulnerable

– Security models focused only on endpoints
– Lack of browser visibility
– Poor extension management
– Trusted browser environments exploited
– Rapidly evolving attacker methods

What Threat Intelligence Platforms Provide

SOCRadar Modules:Digital Risk Protection
Detects phishing, fake extensions, and impersonation of brands.

Threat Intelligence & IoC Feeds

Provides real-time IoCs (domains, hashes, IDs) and integrates with SIEMs.

Attack Surface Management

Finds exposed assets vulnerable to browser-based attacks.

Vulnerability Intelligence

Tracks browser-related zero-days and prioritizes patching.

The Path Forward

Organizations must go beyond endpoint security. Essential steps include:

  1. Browser security policies and control over extensions
  2. Continuous auditing of extensions
  3. Integration of threat intelligence into workflows
  4. User training on browser threats
  5. Network monitoring for malicious activity

BlackStink proves that attackers adapt quickly – security teams must do the same.