Password stealing malware hits ‘thousands’ of PCs, are YOU affected?
Google Chrome fans are being warned about password stealing malware that could have made its way onto their machines. Google Chrome is without a doubt the most popular internet browser in the world right now. NetMarketShare stats for the whole of last year show Google Chrome as having a staggering 58.90 per cent chunk of the internet browser marketplace.
Its nearest rival, Mozilla’s FireFox, has a 13.29 per cent share while Internet Explorer is on 13 per cent. Microsoft’s newer Edge browser, which is bundled in with Windows 10, lags behind with a 3.78 per cent market share. These stats underline how Chrome’s crown as the world’s most popular internet browser is undisputed. And fans of Google Chrome have been put on alert about a strain of password stealing malware.
However, the way the malware may have been distributed onto Google Chrome users’ machines could leave them stunned. The malware warning first emerged on Reddit, with user crankyrecursion making the discovery. They claimed to have found a suspicious file hidden away on an add-on installer for a flight-simulator.
A company which makes add-ons for Microsoft Flight Simulator and Lockheed Martin’s Prepar3D simulation software. Has received harsh criticism for including a utility in an installer that harvests passwords stored in Google Chrome.
The FSLabs product affected is the A320-X add-on for Prepar3D 4, which has a file named “test.exe” that appears to be the Chrome Password Dump tool from SecurityXploded. According to the technical analysis by Fidus Information Security, when the password retrieval tool is invoked, the output is encoded in base64 and transmitted to an FSLabs-controlled server over (an ostensibly unencrypted) HTTP connection. This routine is only run when a serial is detected as being counterfeit, though for genuine installs. The software username and information about installed graphics cards, CPU, total RAM, and operating system are sent through the same HTTP connection.
Fidus also found a forum post from October 2017 in which a user noted that anti-virus software is flagging the installer for including “HEUR:PSWTool.Win32.Security.Xploded.gen,” to which another user replied: “Many AV engines see our installers as a virus, which they are not (also known as a false positive).”