Malicious browser extensions continue to bear fruit for hackers who have been using them to spread banking malware and adware, and hijacking popular add-ons to spread other nasty code.

The latest abuse involves a Google Chrome extension being spread in phishing emails that steals any data posted online by victims. This is a departure from previous attacks that monitor browser activity for specific URLs and extract credentials.

This campaign may be limited to Brazil and other Portuguese-speaking nations, according to Renato Marinho, chief research officer at Morphus Labs and a SANS Internet Storm Center (ISC) handler. Marinho told Threatpost that the phishing message is written in Portuguese and some characteristics associated with compromised computers including directory names leads him to believe the malware used in these attacks originated in Brazil.

“Based on the messages I received on my spam trap, the campaign is ongoing and possible making many victims,” Marinho said.

The emails, Marinho said, include a lure hinting at photos from a weekend event sent over WhatsApp (“Segue as (Fotos Final de Semana ) Enviadas via WhatsApp (30244)”). Should the victim click on the link, a malware dropper called whatsapp.exe is executed and presents a phony Adobe Reader installer, which downloads and installs a .cab file on the victim’s computer. The .cab file is a 9.5MB compressed file that spews a pair of 200MB-plus files once decompressed, Marinho wrote in a report to the SANS ISC site. Most of the code, he said, is bloat in an attempt to bypass anti-malware scanners that avoid large files.

One of the files attempts to disable the Windows Firewall and kill all Chrome processes before installing the malicious browser extension, written in JavaScript.

The extension captures all data posted by the victim on any website, Marinho said, before it’s sent to a command and control server using jQuery and Ajax connections.

Marinho added that existing browser security measures such as SSL or TLS won’t protect the victims because the stolen data is captured in clear text inside the browser, before it is sent through HTTPS connection.

“That’s another reason this is approach is attractive to cybercriminals,” Marinho said.

Marinho said he expects cybercriminals to continue to make use of malicious extensions to access a victim’s personal or sensitive data.

“It wasn’t necessary for the attacker to attract the victim to a fake website with doubtful SSL certificates or deploying local proxies to intercept web connections. Quite the opposite, the user is accessing original and legitimate websites and all the interactions are working properly while data is captured and leaked,” he said. “In my opinion, internet browsers should better control extensions and plugins’ installation processes as the Android and IOS mobile ecosystems do. By default, only the extensions available on official store should be accepted for installation.”