What is NymphOroica and NymphCubius?
NymphOroica and NymphCubiusbrowser are two malicious browser plugins that we discovered on the internet. It leads users to a different search engine and returns inferior results. This browser infection may also lead to the display of intrusive ad banners in the browser and poor search results quality, which may hinder the browsing experience of the user.
The aforementioned extensions utilize a scientific term to identify themselves, which we find peculiar because the name does not instantly convey what it accomplishes and may raise questions at first. Furthermore, they are difficult to uninstall for the average user since the malware creators behind NymphOroica and NymphCubius employ enterprise browser policies to deactivate the removal button, preventing it from being removed.
Malware browser plugins in general
Malicious browser extensions are a sort of malware that can interfere with the browser. Some of them possess malware characteristics that enable them to observe the user’s browsing activity, keep an eye on what the user typed (essentially a keylogger), gain control over the microphone and camera when the user enters the browser, and, lastly, they can change browser configurations to benefit the malware author.
NymphOroica & NymphCubius is a malicious plugin that falls into the last category, modifying the appearance of the browser’s tabs and the default search engine. Not to mention its persistent approach, which makes it difficult for most users to uninstall. If the remove option is blocked, many individuals will struggle to delete the said extensions. This addition is likewise quite similar to, and most likely the same variant as, the NymphMiniica malware extension, which we covered a week ago.
Some other similar extensions:
- AnciMegaica
- AnciPyror
- StelMegaica
- StelMiniica
- ArchHexel
- TitanMacroius
- MagnusAzureen
- AstroNanoel
- LunaSpheror
- LunaAzureel
- ElfMacroica
- HelioCubica
- FairyHexica
- HelioOroor
- AstroVermilen
- NymphVermilor
- OrcArgentel
- AstroOroen
Malware extensions frequently configure the browser to be “managed by an organization,” which allows the author to set policies that keep the infection active. While browser extensions are intended to make our browsing experience easier, cyber criminals always find ways to exploit them and achieve the opposite.
NymphOroica and NymphCubius threat behavior
We’ve also discovered a slew of other fake plugins, similar to the aforementioned extensions, that use scientific plant and animal names. Many of the extensions we encounter all have the same extension icon, the blue “App” file icon. When it enters the browser, it does not alter the appearance of the home tab, but it does change the default search engine to Bing or Yahoo, depending on your location.
Example of the same extension under a different name (ArchHexel):
We also examined the extension and discovered that the vast majority of affected individuals were using the Microsoft Edge and Google Chrome browsers. However, we discovered that the malware payload installs itself in the Chrome browser and modifies the browser policy to prevent removal.
NymphOroica and NymphCubius act as browser hijackers, altering the search engine to Yahoo and Bing; however, how can malware developers profit from this? Simply put, they change the default search engine to one of the two since those search engines provide points based on the amount of searches you perform.
These malware developers created these extensions to steal the points earned by users who searched with the extension. When combined with thousands of compromised browsers, the total number of points transferred to thieves would have been significant.
Summary of the threat
Malware name/s | NymphOroica & NymphCubius |
Threat type | Malicious extension, Adware, Harmful plugin |
File type | .json, .zip, .crx |
Delivery network | Malicious downloads/payload |
Malware behavior | Change the default search engine |
More about NymphOroica & NymphCubius
We notified the malicious extensions to the web browsers that were targeted by this extension, and we believe they will take action against them shortly. When that happens, any browser using the malware extension will be removed because it has been flagged as a harmful browser extension.
If you are currently infected with the NymphOroica or NymphCubius extension and are unable to remove it using standard methods, follow the detailed step-by-step instructions below to completely remove the malicious extension from your browser, as well as any malware payload that may have entered your computer system.