Hunting Lazarus Part IX: The Google Mirror
Contents
Hunting Lazarus Part IX: The Google Mirror
Five trojanized browser extensions extracted Google profile identity through chrome.identity and routed it through an Aptos blockchain dead drop. Before any wallet artifact moved, the extension asked Chrome who owned the browser.
The full investigation is consolidated in the Inside the Machine research article.
The wallet trojan that asked Chrome who owned the browser.
Before the wallet trojan stole anything, it asked Chrome who was sitting at the browser.
It did not have to look the answer up. Chrome already knew it.
The extension called chrome.identity.getProfileUserInfo()
, took the Google profile identifier and email address the browser handed back, wrapped them into a small JSON object, and sent that object to a server it had just looked up on the Aptos blockchain.
Then it set a flag so it would not ask twice.
That was the first request the extension made. Before any wallet artifact moved. Before any user activity. Before the …
Five trojanized browser extensions extracted Google profile identity through chrome.identity and routed it through an Aptos blockchain dead drop. Before any wallet artifact moved, the extension asked Chrome who owned the browser.
The full investigation is consolidated in the Inside the Machine research article.
The wallet trojan that asked Chrome who owned the browser.
Before the wallet trojan stole anything, it asked Chrome who was sitting at the browser.
It did not have to look the answer up. Chrome already knew it.
The extension called chrome.identity.getProfileUserInfo()
, took the Google profile identifier and email address the browser handed back, wrapped them into a small JSON object, and sent that object to a server it had just looked up on the Aptos blockchain.
Then it set a flag so it would not ask twice.
That was the first request the extension made. Before any wallet artifact moved. Before any user activity. Before the …
IoC
https://fullnode.mainnet.aptoslabs.com/v1/accounts/0xa3047f3ccd...455e88/transactions?limit=1