New “ABCsoup” Adware Campaign Targeting Russian Users with Malicious Browser Extensions

A new adware campaign targeting Russian users with malicious browser extensions shows technical sophistication and significant preparation.
New “ABCsoup” Adware Campaign Targeting Russian Users with Malicious Browser Extensions

Context

On June 7, 2022, researchers at Zimperium reported technical details of an adware campaign targeting Russian gaming, social media, and ecommerce site users. The campaign uses more than 350 variations of malicious browser extensions using the Google Translate extension ID to trick victims into downloading the malicious files. Researchers named the extension group “ABCsoup.” The current campaign targets Google Chrome, Opera and Firefox browsers. In addition to pushing ads, the extensions also steal credentials and cookies from infected users.

Technical Details

Zimperium researchers noted several defining tactics, techniques, and procedures (TTPs) associated with the campaign:

  • Installing the extension in three major browsers on a victim’s machine.
  • Using Google Translate Extension ID to hide itself from endpoint security solutions, scanners, and the victims.
  • Use of heavy obfuscation.
  • Personalized ads based on user information.

Threat actors are using the key variable in the manifest to forge fake browser extensions with the same extension ID as the Google Translate extension. The extensions must be delivered to targets via sideloading because security controls in browser stores prevent them from being loaded.

Upon loading, the extension is dropped in the appropriate location in the targeted browser and modifies the registry file. The extension becomes active once the infected browser is closed and reopened by the victim. Once executed, the extension sends a log request to a command and control (C2) domain that contains logs for all three browses and some stolen credentials from the infected browser.

Impact Analysis

Given that the overwhelming majority of the campaign’s C2 domains are Russian, and the “VK” social media site targeted in the campaign are Russian, it is likely that the campaign is currently targeting Russian users and that the threat actors are based in Russia or Eastern Europe. However, it is possible that the campaign could expand to other regions, and Zimperium researchers note that when user data is collected on Russian sites, global users will see less personalization in targeted online ads.

IOCs

Researchers from Zimperium provided the following indicators of compromise (IOCs):

Indicator Type Notes
dxrvcwmlzk[.]ru Domain C2 Domain
vxnsxcwtky[.]ru Domain C2 Domain
qxkyvdxfst[.]ru Domain C2 Domain
ebisgjvjce[.]ru Domain C2 Domain
kviiqfesoa[.]ru Domain C2 Domain
hxtqvgexlf[.]ru Domain C2 Domain
xxozqcyglz[.]ru Domain C2 Domain
kdhxxdbmmj[.]ru Domain C2 Domain
nykbneelqp[.]ru Domain C2 Domain
fojqexnqwn[.]ru Domain C2 Domain
zmhikmcqka[.]ru Domain C2 Domain
mysqkptdzp[.]ru Domain C2 Domain
wajxzdmbek[.]ru Domain C2 Domain
wbfcyoqqgy[.]ru Domain C2 Domain
jskwpehjbn[.]ru Domain C2 Domain
fpeplvrlgt[.]ru Domain C2 Domain
qeyapfqhwl[.]ru Domain C2 Domain
bjdibiyyei[.]ru Domain C2 Domain
evwoqwrdzv[.]ru Domain C2 Domain
nvwtztiwrp[.]ru Domain C2 Domain
hzszqoimbc[.]ru Domain C2 Domain
rptcavxndj[.]ru Domain C2 Domain
njbkjqsrmb[.]ru Domain C2 Domain
iyscytsgkb[.]ru Domain C2 Domain
ypsmoeqpql[.]ru Domain C2 Domain
aoxpvplfox[.]ru Domain C2 Domain
ajsbvlpser[.]ru Domain C2 Domain
wozjivizyw[.]ru Domain C2 Domain
laavnjznqf[.]ru Domain C2 Domain
iyzqporrgn[.]ru Domain C2 Domain
ldicmowfak[.]ru Domain C2 Domain
hlflheyikb[.]ru Domain C2 Domain
jsv14tlnaii[.]ru Domain C2 Domain
nliqmvcqib[.]ru Domain C2 Domain
gszosmbblv[.]ru Domain C2 Domain
exooseszox[.]ru Domain C2 Domain
rcqfjymyqq[.]ru Domain C2 Domain
vqhqadnrqm[.]ru Domain C2 Domain
vxlmidapfc[.]ru Domain C2 Domain
lqmxvqqzpz[.]ru Domain C2 Domain
ohedoyijef[.]ru Domain C2 Domain
hdjyrczkbn[.]ru Domain C2 Domain
dqlvaltxzw[.]ru Domain C2 Domain
ylxdxfqvda[.]ru Domain C2 Domain
qewiatlyzd[.]ru Domain C2 Domain
lrajephkmd[.]ru Domain C2 Domain
qvknfkhqfg[.]ru Domain C2 Domain
txnfrnrkir[.]ru Domain C2 Domain
qjqosngccj[.]ru Domain C2 Domain
deczqsqqfg[.]ru Domain C2 Domain
yznvtjxwfw[.]ru Domain C2 Domain
bxpfkabcmi[.]ru Domain C2 Domain
systemupdates1[.]top Domain C2 Domain
haibphnqqm[.]ru Domain C2 Domain
okavmpdagc[.]ru Domain C2 Domain
suppasml[.]ru Domain C2 Domain
f2a4ccecf516367cf5350cf69713bf5645021afb210d07329b468cf92ec0acec SHA256 EXE File
e0130496b44c7f6064cadbf365b93272098cc29da60b84fdfd5d8b7f62f8434e SHA256 EXE File
a4a1f23c3667854aab31835653e31576018ebc96ce55f813c51b7d41bbae4403 SHA256 EXE File
b9d2e73801c5741073b02704443bd36101e0c65863341e5813644e6a2c35aa2a SHA256 EXE File
71b0b37b924875bc174831db4809dd86b87f98849c500e0ea4df37888e98d115 SHA256 EXE File
146c4b6420540de18b8d9978a2206908fd4e5dbfdac06f31466e591b5f80afe3 SHA256 EXE File
fa53f7e326f7e0b93a79a2d4970d229b2262ca9ce0f1a45ba1759677a31fa5df SHA256 EXE File
20931d7fe65c0542583ebe66b9c093fb988fe680540bbddc021587c13d53a813 SHA256 EXE File
30ff74c0d71220d45ef0da3dd84c30b9f80db6a9927078fc57ca122120daad77 SHA256 EXE File
6f21d66608b7b0bb8e5508765ed9f0d2382acae6408bb7cf80f7806e8bcb9268 SHA256 EXE File
5446153bfe267e3d899660f1658954487818581da6511720a79b7120534d9048 SHA256 EXE File
49f5b05674dcf8c05fedd698baf44dde0013480c38f2a38a9401bc5eafcb60d3 SHA256 EXE File
b4500e50c9e36fc4a7ad36bb5f858f488f5e50c0f13005de3a670942a5bf1083 SHA256 EXE File
64cad223db7f3b44f562be463bcecd6b9bcc30a8ccedf5fd4121e8f32ea80ab5 SHA256 EXE File
5576aa2eabe7cb3319dc13e48fdf49e2f20d1f68a13a8748bda50523144f3511 SHA256 EXE File
c25cb57e0c618b89b0b72b7dbe3e39596c3767768038636c811959b87b81421f SHA256 EXE File
68fc2684a47f5e3d27cddda10a182e43ef133c3dafb57ae8119b34a1b5a28150 SHA256 EXE File
812b5ccb9fae00a9f98aafcb4e9c6088a75771962da68450f6f2afabc4b04ad3 SHA256 EXE File
518d70a81eb63632e41ab43025cbb203fdf076cf15f1bb368d7f7ead33aeb376 SHA256 EXE File
08f5b91ee363f69750b4decab1bd8a9282d43d46677e771c3216153182316c66 SHA256 EXE File
58af067cccdec7e7500db8ba129b01f832cffe333ef236c723bc9f7c44c0b25b SHA256 EXE File
3118781f9f857b9994572dd3f854e8d206a680303594ae182af2a7e6fa752c3f SHA256 EXE File
e337aecd0011db4333325bbf118966d4df171acfe7315ae823b2af29d2640689 SHA256 EXE File
42a178cc737c7c9f46d1d0fb7c1533e6feeba15149e8fa717c4f9172157a2b1c SHA256 EXE File
58b6ad464e81407f312718220a24cfb28aee07c6050f5833d7394df292b0d823 SHA256 EXE File
0cbb1042559a962bf3f5430deecb4548eb45d354d765eb3bf7b93660b607527d SHA256 EXE File
c31fa157e8997006e29f66f3fce53619b46173fe7d20ad3a54889c052e6bf273 SHA256 EXE File
6173142a313d1eaea5bdb678fa7dd5fa6b9bf347519d682fdcd5d1754b95d8e2 SHA256 EXE File
c23730ad27183ee423b2c592a3a8dfab0b91d122808a2987f14ae0d35dd5a269 SHA256 EXE File
d304afc890e7182eb9c58511f50af84ac8b17688738dff14857f3887adcf988f SHA256 EXE File
889661009f96e35def08507e5c4f87f3c3f9cbda89de057c379687159c894b6f SHA256 EXE File
dff504a2d8a9a068ca833a83319645c55848fd9d0413c25302265d13a443e416 SHA256 EXE File
da1e10f3346b03299748a7e3b680bc4d4965fc6234f57ac158b1aaa47529af1b SHA256 EXE File
95f9baa7f4b174c09a5f7269d259eaa94ac4d9e991d619382323ee3bbbdfc618 SHA256 EXE File
58178941d24b17f1054bd89c359c5dc294854dd0394a83429c6db47b29de05ed SHA256 EXE File
bdc6f5011089f0c4ba36e64bba6541f8486f7a9fcf1912885c33f43c1d7b8945 SHA256 EXE File
4155dd6b5b05ae09a8661f1f2593a3143e693c2de5db11a3fb158562b2a71794 SHA256 EXE File
4b1b25716e81655242a47739d01f0ecec1d571499ffcf8be73dcd6c659ebd304 SHA256 EXE File
6aefac50c06e547c31b5cdf7ddd14ded5824b39d7ac24c60569bcca2eefe90e4 SHA256 EXE File
188b1e5390c60118f53c7288dd85fc553b882daf65e23d36f01553a03e2e19d5 SHA256 EXE File
c1a8b14b82623415023d9815ab77d3483a7b75a73ffa1ce03bce8ff67b7745a1 SHA256 EXE File
2261af622fc1516c9f013b9f9759e4347c9bf7eee9c2a1f897d20d50c5f020fa SHA256 EXE File
720f3e986f79437663f2e1c08b29a8ecbda9cc9f680e7ff3d9c4248e880396ae SHA256 EXE File
e2266d9952c01c3a721994b1a6f6cde51c11ced81f0be984eef6517475b04031 SHA256 EXE File
4e10db19712ee8c3c2317c24ea3bbff993b907e9f79a688a6f1b4971504644e6 SHA256 EXE File
c475c63b794589977374843511739fc38711ab4a4fb9072de15483e505591d22 SHA256 EXE File
25b0552a49bf431943e68b3ca40956b4accd9be120eaae49692b1000a4994906 SHA256 EXE File
2125fcf4221cc7a915e40f60cc0acec5126cb36dadf8d09da4703455456a7441 SHA256 EXE File
d15920de7ac8d5776c8da8ee80eb73c0788d727e694e6f235402c4c76b7c6852 SHA256 EXE File
5a36b1aee562efadc2264dd21c060eb5eb375ea99d56e58cf4bd08509f113e30 SHA256 EXE File
30fbad2855441a181433233d48535c05f1cb1563283fe6ebe5e1758bc170f533 SHA256 EXE File
b354644b44a574b88b006a20ad165d5bf42a38494d736e8a53abf932646ace91 SHA256 EXE File
cbb162dc66fc08dd458d06a6e6f1dee402f81d8cdfa1f992d29b979175377aed SHA256 EXE File
c7a202318c1d99ed559f382f5827da32536182bbcb0f6a659a425a1d29e17045 SHA256 EXE File
004a7d95f071128023d0134be053d50a2814f86c3d7ee1263cb980c9ff54406b SHA256 EXE File
0e70aebddbed0c3d25dd0390533969dd516fd4b585e0c7b6814db2f45eb72481 SHA256 EXE File
c51c797ab4523bf3a8e68f8cdb65236c27499729fcb9f1d1c91a2eec369b256f SHA256 EXE File
0662c47cc8727bb4d22a2ab09f13be91c9d228bc26e87e8fddc9090ce8f8df19 SHA256 EXE File
da5f43a9e7ae6e5b701ee44e5d1100f18f08df1019c435bb63dd244cdebf1a2d SHA256 EXE File
26531ee9d426b033aec57e64880028ff4823bad8c12ab6d283453c5abfaff42e SHA256 EXE File
b93611c248a2cda22746d6f4fafec0995074be09fdc442ec6444ddcf1bd983eb SHA256 EXE File
e8a4b7690d9acda05f528e46666be76c40caa8ed7f4b41dabb6ae51d974cfe5d SHA256 EXE File
faaf9846f9070c455bc535e8a36fd7b74750c3f59c7d7a32d9a23c2894ba8987 SHA256 EXE File
378b42a82290804682d95edf9f6e5355f2c61f4952b6e164198803d5634c438e SHA256 EXE File
ba17e6b91a73eabce2f217429e522e6a0821f15ba5413f1160f7ba0e950d53f8 SHA256 EXE File
710f2e1f2eedb6dc65996671502d895815e57df53b2494d107637a1f6eb0de07 SHA256 EXE File
87669b9b13106049bc7dee270277e83310a6d24c20e3cc216ef9c0c8411958fc SHA256 EXE File
40d1f33b1e2209ee1501502d3ba21921cf40e2be0aeb4319480fa92eaa721179 SHA256 EXE File
8e5a949a1dbf084e512b2616c7dfd2b26405c68935d649455e523b2b2e3465ae SHA256 EXE File
cda5c36a2d6be79bdc11ab9298df0eaf6b8bccce208e3921516ca5ac71a2244a SHA256 EXE File
28c2010883cc695b68331c9b0510b239da02cdc259d65aa5cd90509453555957 SHA256 EXE File
bdc183de8545937d4c9ddc695004818480325e9f689be9f343e3e3136c179281 SHA256 EXE File
890518f01217acc17e36bbf7f46ecf37aa744e916ae13e2bd84901c032a8e269 SHA256 EXE File
6adca7681ae6d974df06835a2707a625727cbd0b25fe7aaa72807baac0c66bc9 SHA256 EXE File
85c72fdf84881b4ff9018de95a64e90e426418f4255aeef749568a7033d180cf SHA256 EXE File
11769a05c8cf25319bcb929995388925e47bd84c5fbabb2e4368d75062d84346 SHA256 EXE File
9cf3c83d3160b4d290154f752f35df7daff314c8fae35dda556dcdf6f537127a SHA256 EXE File
20c1fbae8e3b4da04ba69ea3d7323f476536357f7d5aa2eca2138070a8ad970d SHA256 EXE File
931be158768ea43400b8ae738012caacb608156ae1c5ffcb8e841fdd475b20c7 SHA256 EXE File
76cba59c4e41aef5fd230a22f406cdeb72f63da49097eb7aa96c7e46cc4f7280 SHA256 EXE File
ba83a966c001b22bd3e50eab0b0139580d668279f03f1674347d4fa98f490257 SHA256 EXE File
34e492f43e85bbffb8dd3e465c4aa1c09359a124d62df99baa2262595781267a SHA256 EXE File
64dce4d7cc76bd78623ceb288e885d2b34b1b338795dd3edd9632aedc4a2db1b SHA256 EXE File
f0a67982f01db58bbda282f2b32a43a2cd9724f6303621c1e90a9f4e0d08f3d2 SHA256 EXE File
61cfc3d7d4b01acc76320541c6fc67363d3030013ef4c171b76df94a40a59210 SHA256 EXE File
98599eafc850e353fea20916bfae0c1630c4e11ae1d857a0a372b5e3d514789f SHA256 EXE File
1690e57544df5027e2cd5993ebc306e6299142829ff76ac029ac48c2fd81bd32 SHA256 EXE File
eca84f9dfdac8ab5a77b854f72c02a1400b298b854dba44b0fef12861b2b63cc SHA256 EXE File
3d81cbe53bb4bf5918fc6da76394a0d87c9a33e77c4920691873d22e3d8296c0 SHA256 EXE File
60878bb487967af30c7e0c1bde0fa82033ba6c980b55e828bb37e924104e4114 SHA256 EXE File
a2be7fc6e01527207043f16112642dce52f0e4b18c43fa0d31ec5729ed0bd18d SHA256 EXE File
85e290fe0b68bf6834cb443e70c4162609e086569f31fd02a6083d0bc2e155f4 SHA256 EXE File
c2e61830b31d68206edb8e782f097a15d35ae9fbf70de4eed97257bd9a591e26 SHA256 EXE File
e0444c8f739c7069e3ff831b9260ecb65b61d42e523baa6a1b679717de669f1c SHA256 EXE File
50e29d470f158942d2b5b98d960a7ff9e8363ba244a675f91e35877e4e056b87 SHA256 EXE File
c6fdad4e6ba91d926562144f4574e52ac2e8456a14561da4a2badb431087e79a SHA256 EXE File
f0fa6f138374de977b5ffb31a4eee9de8388c58d3ca6fa47ac243369d529632e SHA256 EXE File
1b07ec5a5757341276098be39822e76799c61775027035077ebb201441383cf9 SHA256 EXE File
4e74b8f75b546a0385b5833d1d619ee909375de35c9f72192e4cd5cc9fc6874d SHA256 EXE File
d4c569a9f51da2d0f0379bd727da5306a29ed7ff7c37ea79bb9b1256f92eaf43 SHA256 EXE File
1c15903d27a61b67537d96d898951b453d89ed17fd11a60d3f33e5a1b8ea97b0 SHA256 EXE File
a65b71943a81db71e76c1e253c61fe24c237fdb9c1bc82ea2948013448873bff SHA256 EXE File
6a66b34fa709cbadfa4e7ab68a32c570db9d66952f6696da8d4ec772a5125dab SHA256 EXE File
2611916a45425b63210855a664088bacfac50c949546770a20ba3cc98c62be1d SHA256 EXE File
af73cfa21d09ae1ce21d65967995caf3ccfaf2af06f4e0a7b1282cd67cee4160 SHA256 EXE File
38f575771a32c3ed9e6310decfc4f43dc5218b0d0799fd366c8f76ec0a9107e6 SHA256 EXE File
df556321059f301849c987eb854381fefdaa72f6ea8174d66d0b0d781acec62c SHA256 EXE File
636a43b077905f084e833586c3e754f7d826da273a333635d93e47bd11fa80ba SHA256 EXE File
de4b665948ee40374b7c3d4628074a5053113c410f033ef93d15b01a4e480c71 SHA256 EXE File
d12b1dc55619494c270768bfd0d0eff409965161dd4d5fd6aaf5fc18c2c32b13 SHA256 EXE File
45ac28cd293e8a271938baf9fc6424abe043217aa2feef6608d2496c89f5bb6e SHA256 EXE File
3396752616c55d97f672a50be3f819c4ae8ee43e7ee02181858e9a951d71c4cd SHA256 EXE File
37e2a266057551452b675810441633a04bfc968a09303fdfa40e829a3c64560f SHA256 EXE File
dd472ba2e7b7ad5fb7ded56042ee47bd59a77870c030da374b57f4d1c12fa6b8 SHA256 EXE File
ab063f49fe142bbed02b88ba1ac44c19cc879d5c0c1e5331dd56cfab89df7a36 SHA256 EXE File
f694d3b114e59b032088428ddd372a183962febe70292cd7d7d82d07a90c11af SHA256 EXE File
665f4e9267be5efe7499b1dc6493f8e210ef56fe29014343df4174c74e2972be SHA256 EXE File
45f590ca149d618e3bf98ad926fca7c1d52a348e1319991b5728155a57e0796f SHA256 EXE File
6212bb92cf716a99a76b501bc2a1750362e3ee1f4a1548c62988a4096eda41fb SHA256 EXE File
68fae991d11fd404b8505dcceae22d7ecb1aeabb43e33f09a9ee94276a14a2e8 SHA256 EXE File
4909a0d960b73dcb3b6873867a813c107d770a734e2d6abb4a0df12401094d08 SHA256 EXE File
f648853c4ccf67258d3bf06ecbc941bf1ed4fc8cc463d6787a63187055b59448 SHA256 EXE File
64fbe54b877fcd1604d8c7cfd9d2768b655205baee1b2a38286f4686a61c4148 SHA256 EXE File
44d970fe998e6c6dd37e7a3b1a41607d42bd8465c3e0cda9b4dd1e8b7b42be69 SHA256 EXE File
420d11efeed9a20419e7b15c1ff1debb75d60d83ca55ab1115080b53e8ba7240 SHA256 EXE File
5d1243122119f564faff2fcf3e5498594cd86b1575cfbc219698af157b9c623a SHA256 EXE File
a369f1dde0c4bc23747ab6ff5484660dcfd771716b51b656cc684bedaf9b63e8 SHA256 EXE File
7e7d08c8a90f7749f22d94fba8f10306e3b9904e399d3efbeb128c1f7fb46e36 SHA256 EXE File
000d571e1d10230875ca13ef30d16c907bad7c09e69ed6fbf0e8118beb61a6c8 SHA256 EXE File
49c850fd8f5f441a9aeb3db6a734f3a44d56a450afed97a56b59ed937395e1cf SHA256 EXE File
bfd6a7619e2d8b894cec743d37851ce00daf782deb98c37cfbeef94d73ce41c9 SHA256 EXE File
ecf712bb88adea2d6b63a37cf8c0df811b2339b84115fe00811d51e91468a474 SHA256 EXE File
c16aca2eb44897b481d5cab5e051cb0fd9dc0caad1e87085f180822fdf74b239 SHA256 EXE File
3318789e18f6b28179033c8cfa9ce6f12b2f86aec9032a5d22bbdb94a9ae0a9c SHA256 EXE File
24a941e8182a71543a5d783f6f486ed945f0812c77da2420d92d79937e63aac7 SHA256 EXE File
7e9dfc5779c2118edabb94021d3131800c6db4ee5ccbd607e1c1c087654557dd SHA256 EXE File

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

More Recent Blog Posts

View All Blogs