Razy, a Malware That Swindles Your Cryptos By Attacking Browser Extension

Ever wondered why spam ads that often lean towards pornography come up when you open your Internet browser on a desktop? This could be because a malicious program could have taken control of one of your browser extensions in order to steal your cryptocurrency. Recent Kaspersky research has found that a malicious program called ‘Razy’ infects browser extensions and spoofs search results with cryptocurrency as the main objective. To understand this, we must first know how cryptocurrency can be looted.

According to Manoharan Ramachandra, a research candidate at the Bourenmouth University, the probability of stealing depends on where a user keeps it.

Ramachandra said “Cryptocurrencies are values that are stored in blockchain under different addresses. One can exchange these values between different addresses using the private key of each address.”

He further said “If an address and private key are stored somewhere, it is called a wallet. If you have a private wallet where you can control your private key, then you are solely responsible for your cryptos. If you lose your private key, you will lose your money forever.”

Over here, the malicious program searches for cryptocurrency wallets on websites and replaces them with the threat actor’s wallet addresses. As of now, researchers have found that the malicious program Trojan.Win32.Razy.gen “works” on Google Chrome, Mozilla Firefox and Yandex browser.

In Firefox, Razy installs an extension called ‘Firefox Protection’. In Yandex, it edits a file to disable the security check of the browser and creates a registry key to disable browser updates. Thereafter, it installs a malicious extension called Yandex Protect. Similarly, in Google Chrome, it edits files, disables security check and infects the existing extension.

The research report said “Main.js (a script in the Razy program) also spoofs Google and Yandex search results. Fake search results are added to pages if the search request is connected with cryptocurrencies and cryptocurrency exchanges, or just music downloading or torrents. This is the way that users are enticed to visit infected websites or legitimate websites laced with scam/fake messages which would usually describe the user about “new features”.

According to the Kaspersky Report, Razy scripts show the user false messages about “new features” in exchanges and offer to sell cryptocurrency at higher market rates. In other words, users are persuaded to transfer money under the pretext of a good deal to a cybercriminal wallet.