Presence of spyware and malware in Chrome browser extensions we use to surf the web is nothing new as every other day we hear about a new strain of malware identified in an extension. Sometimes even the extension turns out to be fake and a piece of malware.
According to a report from ICEBRG, four Google Chrome extensions have been identified as malicious and targeting more than half a million Chrome users as well as workstations of a majority of high-profile organizations operating globally. The four extensions include:
More: Chrome Extension with 105,000 installs is a Cryptocurrency Miner
- Change HTTP Request Header
- Lite Bookmarks
- Nyoogle – Custom Logo for Google
- Stickies – Chrome’s Post-it Notes
It is worth noting that Lite Bookmarks and Change HTTP Request Header have been removed from official Google Play Store.
Change HTTP Request Header extension
The findings of the research were published in a blog post on Monday 15th January by two ICEBRG researchers namely Justin Warner and Mario De Tore. As per the report, these malicious extensions contain suspicious coding that affected over 500,000 users worldwide including corporate workstations. The extensions are used to carry out “click fraud” and “search engine optimization (SEO) manipulation.”
Moreover, these offer a strong foothold to threat actors because they can leverage these extensions to obtain access to corporate networks and user information. These extensions were discovered while the team of researchers at ICEBRG was investigating the sudden increment in outbound network traffic between a European VPS provider and a customer’s workstation.
“Chrome’s JavaScript engine evaluates JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP),” wrote Warner and De Tore.
Researchers noted that these four extensions didn’t contain an obvious coding but used a combination of two different features that allowed attackers to inject and execute arbitrary, malicious JavaScript code whenever a permission request to retrieve JSON was received by an update server from an external source. When injected the malicious script creates a WebSocket tunnel using the change-request.info and then the extension uses it to proxy browsing traffic through the browser installed on the targeted machine.
“The threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties,” wrote ICEBRG researchers.
Overview Diagram of Activity shared by researchers
One of the two features access the infected system for Chrome debugging tools and if detected it immediately halts the execution of the injected code. This has been termed by researchers as an anti-analysis technique used to avoid detection.
Currently, it is not clear whether same attackers are involved or there are different threat actors behind each of the four malicious extensions but it is evident that similar TTPs (techniques, tactics, and procedures) have been used. Researchers noted that these techniques can also allow sophisticated hackers to establish a beachhead into “target networks.”
Google, US Computer Emergency Readiness Team (US-CERT) and the National Cyber Security Centre of The Netherlands (NCSC-NL) have already been notified along with affected customers of ICEBRG regarding the four extensions.
More: Hackers using Google Adwords & Google Sites to spread malware
