
ShadowExtension: Chrome-Based BlackStink Campaign Targets Latin American Banks
A newly uncovered malware campaign known as BlackStink uses a deceptive Chrome extension to infiltrate Latin American banking portals. The extension disguises itself as a cloud service while secretly injecting fake forms, hijacking sessions, and executing fraudulent transfers in real time. Its use of stealth updates, powerful permissions, and obfuscated scripts allows attackers to manipulate accounts directly from within the victim’s browser, making detection and prevention especially challenging.
Notes
<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">The BlackStink campaign is an example of a new type of banking malware that uses browser-based methods instead of traditional executable payloads. Using a malicious Chrome extension to attack banks in Latin America, criminals can get around endpoint protection and get direct access to the victim's browser sessions.</p> <p class="content-description">This method has a lot of risk because of its:</p> <p class="content-description">Takes advantage of trust in the Chrome browser ecosystem</p> <p class="content-description">Shows a small number of malware signatures</p> <p class="content-description">Makes it easy to steal credentials and take over sessions right away</p> <p class="content-description">SOCRadar's <a href="https://socradar.io/">Threat Intelligence </a>and monitoring modules can help a lot with this kind of threat:</p> <p class="content-description">Keep an eye on the actions and signs of compromise linked to BlackStink and other similar threat actors.</p> <p class="content-description"><a href="https://socradar.io/category/digital-risk-protection/">Digital Risk Protection</a>: Find out if your brand is being targeted by phishing websites or bad extensions.</p> <p class="content-description"><a href="https://socradar.io/products/attack-surface-management/">Attack Surface Management:</a> Find endpoints that are open and could be used by these kinds of browser extensions.</p> <p class="content-description"><a href="https://socradar.io/labs/app/ioc-radar">IOC</a>Feed and <a href="https://socradar.io/">Threat Intelligence:</a> Add hashes, URLs, and domains that are linked to the campaign to the rules for detection.</p> <p class="content-description">SOCRadar gives security teams the tools they need to take proactive steps, such as shutting down threat infrastructure and teaching users about the risks of Chrome extensions.</p> </div>
Mitigation
<div class="content-container"> <span class="content-title">T1056.001 – Input Capture: Keylogging</span> <p class="content-description">This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.</p> <span class="content-title">T1552.001-Unsecured Credentials: Credentials In Files</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1027">M1027</a></td> <td><a href="https://attack.mitre.org/mitigations/M1027">Password Policies</a></td> <td>Establish an organizational policy that prohibits password storage in files.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1022">M1022</a></td> <td><a href="https://attack.mitre.org/mitigations/M1022">Restrict File and Directory Permissions</a></td> <td>Restrict file shares to specific directories with access only to necessary users.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></td> <td>Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.</td> </tr> </tbody> </table> </div> <span class="content-title">T1176 – Browser Extensions</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Ensure extensions that are installed are the intended ones, as many malicious extensions will masquerade as legitimate ones.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></td> <td><a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a></td> <td>Set a browser extension allow or deny list as appropriate for your security policy.<a href="http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/">[22]</a></td> </tr> </tbody> </table> </div> <span class="content-title">T1566 – Phishing</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1049">M1049</a></td> <td><a href="https://attack.mitre.org/mitigations/M1049">Antivirus/Antimalware</a></td> <td>Anti-virus can automatically quarantine suspicious files.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></td> <td>Users can be trained to identify social engineering techniques and phishing emails.</td> </tr> </tbody> </table> </div> </div>