Chrome and Edge users infected with malicious browser extensions that steal your personal data — what to do now

Hackers are using malicious browser extensions to infect both Google Chrome and Microsoft Edge with dangerous malware that can steal your personal data and leave your computer at risk of further attacks.

As reported by The Hacker News, this recently discovered malware campaign has been active since 2021 and so far, at least 300,000 Chrome and Edge users have fallen victim to it.

What makes this malware particularly dangerous is the fact that it can achieve persistence on infected PCs. This means that even if you delete the malicious extension, the malware will reactivate itself the next time you restart your computer.

Here’s everything you need to know about this malware campaign and how you can actually remove the malicious extension used in it once and for all.

Like other malware campaigns, this one uses malvertising to trick unsuspecting users into downloading and installing risky software.

The hackers behind it have created lookalike sites that impersonate popular software and services like Roblox FPS Unlocker, YouTube, VLC media player, Steam or Keepass. While potential victims think they’re installing legitimate software or extensions, they’re actually downloading a trojan that installs the malicious extensions used by this malware.

The digitally signed malicious installers used in this campaign register a scheduled task on vulnerable PCs that then executes a PowerShell script which downloads and executes the next-stage payload from a hacker-controlled remote server.

As part of this next-stage payload, the malware modifies an infected PCs Windows Registry to force the installation of Chrome and Edge extensions which are used for ad fraud by hijacking web searches on Google and Bing and then redirecting them through the hackers’ servers. To make matters worse, newer versions of this malware can even prevent browser updates from being installed, putting victims at risk of other attacks.

Fortunately, there is a fix but it does take some technical know how.

How to remove this malware from your PC for good

In a blog post detailing the findings of its security researchers, ReasonLabs provides further insight on how to properly remove this malware and the malicious extensions used in this campaign from your PC.

First things first, you need to remove the scheduled task from your PC. This is done by clicking on the Start Menu or pressing the Windows key on your keyboard and then searching for Task Scheduler.

Once Task Scheduler is opened, you need to click on the Task Scheduler Library to show all of the tasks on your PC. While the task name used by this malware varies, you can identify it by clicking on tasks, opening them and then clicking on Actions. In the table below Actions, you can look at their Details and here, you want to look for a path to “c:\windows\system32” and a PowerShell script or a file ending with “.ps1”. ReasonLabs notes that the task name will often be similar to the PowerShell script name.  Once you’ve found the malicious task, right click on its name and then click Delete.

After this, you then need to remove the registry keys that are forcing the malicious extensions in your browser. This is more difficult but you can open the Registry Editor the same way that you did with the Task Scheduler. Keep in mind though that you shouldn’t mess with your computer’s registry unless you absolutely know what you’re doing. When in doubt, ask a friend for help or take your PC to a professional.

With the Registry Editor opened, you need to go to “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist”. In the right pane here, there will be a list of extensions with a numerical value as “Name” and Extension ID as “Data”. Then right click on the name and then click Delete. You also have to do this for this registry key as well: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist.”

As this malware affects both Chrome and Edge, you will need to repeat the same process for the Edge extensions at this path: “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist”.

While you could delete the malware files yourself, you’re much better off using one of the best antivirus software solutions to do it for you. If you do want to do so manually, you can find instructions at the end of ReasonLabs’ blog post linked above.

Going through the process of removing these malicious extensions and the malware they’ve dropped on your PC will likely be more than enough to ensure you think twice before downloading new software or browser extensions from untrustworthy sources. If you do want to download a new extension, do so from the Chrome Web Store or from the Microsoft Edge Add-on Store instead.