Campaigns
ShadowExtension: Chrome-Based BlackStink Campaign Targets Latin American Banks

ShadowExtension: Chrome-Based BlackStink Campaign Targets Latin American Banks

browser-extensionLATAMchrome-malwaresession-hijack
A newly uncovered malware campaign known as BlackStink uses a deceptive Chrome extension to infiltrate Latin American banking portals. The extension disguises itself as a cloud service while secretly injecting fake forms, hijacking sessions, and executing fraudulent transfers in real time. Its use of stealth updates, powerful permissions, and obfuscated scripts allows attackers to manipulate accounts directly from within the victim’s browser, making detection and prevention especially challenging.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1056.001 – Input Capture: Keylogging

ID Data Source Data Component Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")

DS0022

File

File Creation

Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux (such as /etc/ld.so.preload) and DYLD_INSERT_LIBRARIES on macOS.

DS0009

Process

OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState.

[12]

T1552.001-Unsecured Credentials: Credentials In Files

ID Data Source Data Component Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials).

Analytic 1 - Commands indicating credential searches in files.

(index=security sourcetype="Powershell" EventCode=4104 CommandLine="password" OR CommandLine="credential") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential")

Observed Countries4

AR (696)
BR (671)
CO (992)
MX (223)