This article was made possible thanks to contributions by Tal Langus, Amir Gandler and Camila Sablotny.
When a surge in anomalous transaction behavior surfaced across multiple Latin American (LATAM) financial institutions, IBM Trusteer’s Fraud Analytics and Malware Research teams were engaged to investigate. These institutions, already fortified with Trusteer’s Pinpoint Detect (PPD) for detecting Remote Overlay Malware through behavioral and user flow anomalies, now faced a new challenge: fraudulent transfers that appeared to originate from genuine user activity, including real-time manipulation of transaction amounts and destination accounts.
Upon deeper analysis, the investigation revealed a new and stealthy malware campaign leveraging advanced WebInject techniques to bypass traditional detection mechanisms. This variant, later classified as BlackStink, employed a malicious Chrome extension designed specifically to target LATAM banking portals.
Trusteer’s rapid identification and response enabled the swift development of targeted detection rules, effectively neutralizing the threat. The malware signature was quickly shared across the Trusteer ecosystem, reinforcing defenses for other regional banks and preempting similar attacks.
Malicious Chrome extensions have become an increasingly popular attack vector for cyber criminals due to their ability to operate inside the user’s browser with elevated privileges while appearing harmless. These extensions often mimic legitimate applications such as productivity tools, security add-ons or even casual browser games using familiar branding, names and icons to avoid suspicion. In many cases, victims do not knowingly install these extensions; instead, the malware responsible for the initial infection silently adds them to the browser, bypassing the Chrome Web Store entirely or abusing sideloading mechanisms. Once installed, the extension runs in the background with permissions that allow it to monitor browsing activity, manipulate web content, intercept form data and interact with banking or financial websites in real time. Because the extension blends into the browser’s normal interface and behaves like a legitimate app, most users remain unaware of its malicious nature, giving attackers a persistent foothold for credential theft, session hijacking and automated fraudulent transactions.
BlackStink is a sophisticated malware family that also deploys a malicious Chrome extension to carry out advanced web injection attacks against banking and financial websites.. Once active, it can dynamically inject deceptive overlays into legitimate banking pages to harvest credentials, account details and transaction data. Beyond simple credential theft, BlackStink is capable of auto-filling and auto-submitting forms, simulating user actions and executing automatic transactions—allowing attackers to move funds in real time without the victim’s awareness. To evade detection, the malware disables certain browser security features and leverages heavily obfuscated JavaScript to conceal its behavior and complicate analysis.
In this blog, we will examine BlackStink’s latest campaign in detail—covering its tactics, techniques and procedures (TTPs), analyzing the inner workings of its malicious Chrome extension and explaining the web injection methods it employs.
The malware installs a Chrome extension in the background and updates it as new versions become available, embedding multiple evasion techniques to avoid detection. Our threat researchers have observed several variants of the extension across different infections.