{ "id": "71feddda-28b4-4a83-8932-6774b3aa37e4", "created_at": "2026-04-06T00:10:52.065283Z", "updated_at": "2026-04-10T03:23:52.289339Z", "deleted_at": null, "sha1_hash": "ca187e72e89f188bb67a93113660983aa261fc29", "title": "How Theola malware uses a Chrome plugin for banking fraud", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 368119, "plain_text": "How Theola malware uses a Chrome plugin for banking fraud\r\nBy Aleksandr Matrosov\r\nArchived: 2026-04-06 00:03:45 UTC\r\nMalware\r\nA deep dive into Win32/Theola, one of the most malicious components of the notorious bootkit family,\r\nWin32/Mebroot.FX. Theola uses malicious Chrome browser plugins to steal money.\r\n13 Mar 2013  •  , 3 min. read\r\nWin32/Theola is one of the most malicious components of the notorious bootkit family, Win32/Mebroot.FX\r\n(known since 2007). The Theola family encompasses malicious browser plugins installed by Mebroot for\r\nbanking fraud operations.\r\nWe have been tracking an increase in detections of these plugins since the end of January 2013. The countries\r\nwhere Theola is most commonly detected are the Netherlands, Norway, Italy, Denmark and Czech Republic.\r\nESET Virus Radar statistics show the regions most affected by Theola infection during the last week in the map\r\nbelow.\r\nWin32/Mebroot.FX uses typical MBR infection techniques, with a malicious int13 handler used for access to the\r\nhard drive components. Malicious components are loaded in the following order:\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 1 of 9\n\nIn this blog post I’m concentrating on the analysis of malicious browser plugins and on answering the question of\r\nhow money is stolen from a user’s infected machine.\r\nChrome plugin\r\nWin32/Theola.F is a Google Chrome plugin based on the NPAPI interface (Netscape Plugin Application\r\nProgramming Interface). The malicious plugin has a native module and is packed by CRX format (CRX Package\r\nFormat). The CRX container contains the following manifest file with the permissions shown:\r\nThe most interesting string in the manifest is “permissions”, describing the activity allowed for this plugin. This\r\nset of permissions is enough to allow fraudulent, malicious operations. Win32/Theola loads in the Google Chrome\r\nbrowser like this:\r\nAfter deobfuscation the first JavaScript method loads the native module as default-plugin for Google Chrome:\r\nThis JavaScript module modifies the POST tracking method for all web forms on the loaded web page. And by\r\nmaking password input fields visible this method makes (for the attacker) a useful combination with the\r\nembedded video recording functionality described below.\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 2 of 9\n\nThe plugin loaded in the browser extensions panel looks like this:\r\nThe routine NP_GetEntryPoints() calls the plugin load process and gets the pointers to other functions needed for\r\nworking with the plugin within the browser. The decompiled code of NP_GetEntryPoints() is presented here, with\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 3 of 9\n\nthe Theola plugin interface:\r\nThe image directly below shows the the reconstructed virtual method table (vtable) as seen in Win32/Theola's\r\nmain functionality. Theola has video recording functionality based on the open source x264 library for recording\r\nvideo in MPEG format.\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 4 of 9\n\nWhen the plugin has already started up the function addListners() loads the JavaScript code for tracking web\r\nactivity on the infected machine.\r\nThe JavaScript code for manipulating URLs is presented here:\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 5 of 9\n\nThe method beforeNavigate() in the native module is presented here:\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 6 of 9\n\nIf activity is detected on the banking web page, then Win32/Theola sends all sensitive information (passwords,\r\ncredit card numbers and etc) to the special named pipe. The name of the pipe is generated by the following\r\nalgorithm:\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 7 of 9\n\nAll communications with the kernel-mode module and other user-mode modules are implemented with special\r\nnamed pipe handlers in the plugin. Each handler is responsible for the execution of specified type of events in the\r\nexecution process.\r\nConclusion\r\nGoogle Chrome is one of the most popular browsers in the world and its popularity among malware developers is\r\nalso growing. Win32/Theola provides its malicious module as a Chrome plugin: this is more difficult to detect\r\nbecause the plugin uses only documented API methods for controlling web activity. This documented API is\r\nadequate for manipulating sensitive data submitted into web forms. Much banking malware uses user-mode hooks\r\nfor intercepting network activity, but Win32/Theola uses documented and legitimate methods just as effectively\r\nand by doing so is better able to bypass detection by security software.\r\nSpecial thanks to my colleague Anton Cherepanov\r\nAleksandr Matrosov, Security Intelligence Team Lead\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 8 of 9\n\nSHA1 hashes for analyzed samples:\r\nWin32/Theola.F (CRX plugin): 0a74c1897a8a3a56cbc4bd433e100e63f448c136\r\nWin32/Theola.D (dll module): 5591d013f38f64f2695366ff4cb4727c94a266e9\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nhttps://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/\r\nPage 9 of 9\n\n https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/ \nIf activity is detected on the banking web page, then Win32/Theola sends all sensitive information (passwords,\ncredit card numbers and etc) to the special named pipe. The name of the pipe is generated by the following\nalgorithm: \n Page 7 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/" ], "report_names": [ "how-theola-malware-uses-a-chrome-plugin-for-banking-fraud" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434252, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca187e72e89f188bb67a93113660983aa261fc29.pdf", "text": "https://archive.orkl.eu/ca187e72e89f188bb67a93113660983aa261fc29.txt", "img": "https://archive.orkl.eu/ca187e72e89f188bb67a93113660983aa261fc29.jpg" } }