Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
While analyzing a malicious Chrome browser extension we recently came across a Virtool that tries to redirect the Chrome Extension page.
We detect it as VirTool:JS/Redichrextor.A.
VirTool:JS/Redichrextor.A won’t let you view, change, remove or uninstall Chrome browser extensions. It does this by stopping you from viewing the Chrome Extension page.
It uses this technique so an affected user won’t be able to remove or uninstall the malicious extension without help from their antimalware software. This makes VirTool:JS/Redichrextor.A a useful piece of code for any malicious Chrome browser extension that wants to avoid manual detection or removal.
When an affected user does try to view the Chrome browser extension page they are redirected. We have seen it open a new tab, or go to the Chrome web store or Google.com:
We have also seen similar behaviour used by the following known malicious Chrome browser extensions:
Once VirTool:JS/Redichrextor.A is detected and removed, you should be able to go to the Chrome extension page.
We recommend you then check and uninstall any suspicious browser extension that might be linked to VirTool:JS/Redichrex.A or other malware. We also recommend keeping your security products up-to-date to avoid infection.
While this new trick makes it harder to remove the Virtool manually, it is still easily detected and removed by Microsoft Security software.
Jonathan San Jose