InfoStealer Paon with extended functionality
Recently, Check Points Infinity XDR, a cross-software threat detection platform that will be officially available later this year, discovered a malicious Chrome extension. The add-on modifies Chrome LNK files (shortcuts to the Chrome browser application) and adds malicious arguments to them. Chrome extensions are popular because they can extend the functionality of the browser. However, this malicious extension called Paon can collect credentials and user data, steal browser cookies, install adware, redirect search queries to phishing or spam pages, and quite a bit more.
The malware can also install adware, redirect search queries to phishing sites, and add new commands to itself
The malware uses two arguments to continuously overwrite LNK files of the browser. These force the extension to load independently and without user interaction. Every time the user starts Chrome with an LNK file, the extension is loaded. She steals the user’s cookies and gets access to any account of the browser without prior registration. After installation, it takes complete control of each browser session and can modify all HTML and Java scripts. The file “poan.exe” takes all the LNK files on the victim’s computer and adds the “load extension” argument to them, which ensures that any shortcut to Chrome is launched simultaneously with the malicious extension.
The main functions of this operation are to steal cookies, gain control over Facebook accounts, and load and play YouTube videos in hidden frames. The malware also controls the user’s clipboard and monitors the user’s keystrokes. In addition, the malicious load file can also manage a “run script”, which gives the malware the ability to change itself and add new commands while it is running. Once this malicious load extension is loaded into the browser, it gets full control over every session and can modify all HTML and Java scripts, increasing the damage it can do.
Infinity XDR has blocked the C&C URL address and stopped the malicious process. The platform can also detect and prevent other complex malicious behaviors, such as the Chrome extension changes in the LNK files. Infinity XDR is expected to be available for early availability in June, the general release is scheduled for the last quarter of 2022.