We have been following a malicious browser extension that claims to have been
developed by various different software companies.
The extension installs itself into the browser and makes posts to social media
sites such as Twitter, Facebook and Google+ on the user's behalf. One of the
variants installs itself as "F-Secure Security Pack" -- and trust us -- it's
definitely not coming from us.
The installer for this malware is commonly a self-extracting Winrar
executable, although samples come packed in various other ways as well. We can
take a peek at the contents of one of the samples:
The contents give a hint to what the malware installer contains: an extension
for both Firefox and Chrome (the .xpi and .crx files).
The executables for this malware are signed using a certificate assigned to a
company called "VIDEO TECH PRODUCOES LTDA":
It's unclear at this point if the certificate has been stolen or if there is
some other connection between the company and the malware samples.
The installer registers an extension with the name of "F-Secure Security Pack"
The same happens for the Firefox browser, with slightly different registration
Depending on the targeted region, the malware uses ...