Razy Trojan Altering the Browsing Experience to Steal Cryptocurrency

Published on January 25, 2019
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

As reported by the Kaspersky Lab, the Razy Trojan is suspect of a new set of browser extensions that are capable of altering the browsing reality and experience for their users, with the sole purpose of stealing cryptocurrency from them. The Razy extensions cover Google Chrome, Mozilla Firefox, and the Yandex Browser, getting installed with the deceptive names of “Chrome Media Router”, “Firefox Protection”, and “Yandex Protection”. In the case of the Chrome, the extension even stays hidden from the installed plug-ins list, so that users don’t realize its presence and activity. In all three cases, the extension is preventing the infected browsers from updating.

The action is laid out in three areas, all pertaining to the browsing reality that is delivered to the unsuspected users. First, the malicious extensions insert fake Google and Yandex search results that point to phishing websites. These false entries are placed on top of the search results, and may even cover the whole 1st page, leaving little room for doubt in the minds of the victims. To maintain a realistic context, these spoof search results are only delivered when the user is entering cryptocurrency-related terms in the search box, as this is the primary target of Razy anyway. This means that the extension is monitoring the user’s browsing at all times, deciding when to strike with fake results, ads, and banners.

razy search results

Image source: securelist.com

The HTML page modification and the inserting of phishing elements go on, no matter which pages the user is visiting. The extension adds advertising banners containing lucrative cryptocurrency offers or trying to bate the users by indirect offers from fake online surveys and even Wikipedia donations. In all cases, the banners feature QR codes that correspond to the cybercriminal’s wallet. Other examples of fake banners that the Kaspersky researchers unveiled include an advertisement that is displayed on people who attempt to visit the telegram.org website, offering very low-priced tokens and another banner on the Vkontakte social network that is popular in Russia. The first redirects to “ton-ico.network” while the second points to ooo-ooo.info.

razy wikipedia

Image source: securelist.com

To avoid getting victimized, only trust extensions that come from reliable sources, scan your computer when a new extension pops up on your browser all of a sudden, and conduct regular antivirus and antimalware scans. Do not get fooled by misleading extension names, and always double-check the URL that you are about to click from a banner.

Have you noticed a “protection” extension in your browser? Let us know in the comments below, and share this story through our socials on Facebook and Twitter, so as to help us raise awareness.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: