• Razy Trojan was discovered by Kaspersky Labs.
  • He is able to spoof Google and Yandex search results.
  • Its main purpose is to steal cryptocurrency.

Kaspersky Lab has discovered a new Trojan "Razy" which, it seems, misleads the search results and targets browser extensions in order to attack cryptocurrency portfolios. He discovered a malicious program called Trojan.Win32.Razy.gen in an executable file that spreads through blocks of advertising on websites and is distributed from free file hosting services under the guise of legitimate software. He is mainly engaged in the theft of cryptocurrency.

It is said that Razy Trojan searches for cryptocurrency port addresses on websites and replaces them with the threat actor's portfolio addresses; spoofed images of QR codes pointing to portfolios; change the web pages of cryptocurrency exchanges, as well as falsify Google and Yandex search results

Kaspersky claims that Razy can infect the extensions of Google Chrome, Mozilla Firefox and Yandex Browser, although different infection scenarios are used for each type of browser. For Firefox, the Trojan installs an extension called "Firefox Protection". On the Yandex browser, it installs the extension called Yandex Protect and, in Chrome Razy, modifies the contents of the folder containing the Chrome Media Router extension.

It is said that the Trojan Razy spoofs the search results by displaying fake links that are added to pages if the search request is related to crypto-currencies and crypto-currency exchanges, or simply to downloading music or torrents. Once the user's system is infected, the Trojan adds a banner containing a donation request to support Wikipedia, each time the user visits the site. The wallet addresses of cybercriminals are used instead of bank details. The original Wikipedia banner requesting donations (if present) is removed. Kaspersky notes that when the user visits the web page, he will see an offer to purchase Telegram tokens at an incredibly low price.

Similarly, when users visit the pages of the Russian social network Vkontakte (VK), the Trojan adds a banner ad. If a user clicks on the banner, he is redirected to phishing resources (located on the ooo-ooo [.] Info domain), where he is asked to pay a small sum now to make a lot of money afterwards.

Kaspersky also listed the portfolio addresses found in the analyzed scripts, so that users are more aware:

Bitcoin: '1BcJZis6Hu2a7mkcrKxRYxXmz6fMpsAN3L', '1CZVki6tqgu2t4ACk84voVpnGpQZMAVzWq', '3KgyGrCiMRpXTihZWY1yZiXnL46KUBzMEY', '1DgjRqs9SwhyuKe8KSMkE1Jjrs59VZhNyj', '35muZpFLAQcxjDFDsMrSVPc8WbTxw3TTMC', '34pzTteax2EGvrjw3wNMxaPi6misyaWLeJ.

Ethereum: '33a7305aE6B77f3810364e89821E9B22e6a22d43', '78f7cb5D47b5D4750557656656A5B4FD '

The report indicates that total incoming transactions on all of these portfolios amounted to approximately 0.14 BTC plus 25 ETH, at the time of writing.

Hey, Guy hope you like this article, please share it with your friends and family. Also, comment on your points of view and thank you for reading this article.