Summary
- Universe Browser directs traffic to servers in China, installs programs without consent, and monitors keyboards. He has links to cybercrime in Southeast Asia, including money laundering and human trafficking.
- The browser imitates Google Chrome, but blocks developer tools. It installs persistent programs and extensions to send screenshots to criminals and detect gambling websites linked to the Vault Viper group.
- Vault Viper uses the browser to identify rich players and access their machines. He is associated with “scam factories” in Southeast Asia, recruiting people from more than 60 countries for gambling extortion.
Cybersecurity researchers discovered that the Universe Browser browser directs internet traffic to servers in China, installs programs without the user’s knowledge, monitors the keyboard and changes device connections. Ironically, the program presents itself as capable of “preventing privacy leaks” and keeping users “away from danger”.
The findings come from the network security company Infoblox, which worked with the United Nations Office on Drugs and Crime (UNODC) on this task. The investigation also found links to a Southeast Asian cybercrime network involving money laundering, illegal gambling, human trafficking and forced labor.
What does Universe Browser do on your computer?
The browser has versions for Windows and Android, distributed via direct download, in addition to being available for iOS in the Apple App Store.
Using reverse engineering in the Windows version of Universe Browser, researchers found several tools similar to those present in malware, as well as techniques to evade antivirus detection.
One of these behaviors is to immediately obtain the user’s location, language used and whether the program is running on a virtual machine. After that, it waits for some time before connecting to IP addresses in China, Hong Kong, and Taiwan. These addresses are linked to the criminal group behind the browser, known as Vault Viper.
The browser imitates Google Chrome, but developer tools and settings are inaccessible to the user — not even right-clicking works.
Universe Browser also installs several persistent programs that run silently in the background. Additionally, two extensions come with the package. One is used to send prints to a domain linked to criminals. The other, according to Infoblox’s analysis, serves to detect whether the user is browsing a gambling website linked to Vault Viper.
Infoblox noted that Universe Browser is advertised on websites linked to the same company that develops games for online casinos, which would be linked to the Vault Viper group.
The attraction used is the ability to circumvent restrictions imposed by Asian countries on internet gambling. “Every casino site operated [pelo grupo] has a link and an advertisement [para o Universe Browser]”, diz Maël Le Touz, from Infoblox, interviewed me at Wired.
Researchers believe these are the targets of malicious actors. “This browser could serve as a perfect tool to identify wealthy players and gain access to their machines,” says the company’s report.
Over the past few years, Vault Viper has also been linked to criminal groups that have recruited hundreds of thousands of people from more than 60 countries, forcing them to work in “scam factories” in Southeast Asia, in countries such as Myanmar, Laos and Cambodia. Part of these scams consists precisely of attracting those interested in gambling to extort money from them.
With information from Wired
Source: https://tecnoblog.net/noticias/navegador-promete-privacidade-mas-age-como-espiao-a-servico-de-criminosos/
