Security Researcher reveals malicious use of Chrome extension- C&C and data exfiltration possible through Sync Feature.
Bojan Zdrnja, an IT security researcher, published research revealing that attackers use Google Chrome’s Sync feature for Command and Control communication through exfiltrating data.
As a Cybersecurity Specialist, Zdrnja claims that the attackers used extremely powerful features to abuse the Chrome browser.
How did it happen?
Every Chrome user opts for the Chrome Web Store for downloading extensions. Hackers tend to drop malicious extensions on the same store and Google removes multiple suspicious extensions every day. However, the attackers used a different channel in this scenario.
According to Zdrnja:
“The attackers did not use Chrome Web Store but dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation.”
The scary part is that it is a legitimate feature of the Chrome browser. It can be accessed by going to More Tools then Extensions and enabling Developer mode. After this, the extensions can be loaded locally by clicking on “Load Unpacked”.
The malicious extension was disguised as “Forcepoint Endpoint Chrome Extension for Windows”. The attackers copied the name and the logo of Forcepoint to make the extension seem legitimate. Of course, Forcepoint had no relation to the mentioned extension.
The attackers used the following “manifest.json” file. Some parts have been redacted for security reasons.
The “manifest.json” file tells the computer the extension’s parameters and the permissions the extension has. The malicious code used in this manifest file was creating a text-based field for storing token keys. The sync feature will then enable these token keys to be uploaded to the Google Cloud.
Regarding this Zdrnja writes in a blog post that:
“In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure.”
What’s at risk?
The infected browser can be abused in multiple ways. The attacker could access the user’s personal information, or it could be used to set up an exfiltration channel to the attacker’s browser. It could also be used to control a user’s browser from another location without worrying about any local defenses.
There would be no hindrance in these operations as Chrome’s legitimate infrastructure is used for carrying out these commands. Zdrnja said that blocking access to clients4.google.com might seem like a good option but that will not work. This site is used by Chrome browser for multiple purposes one of which is to check if the browser has access to the internet.
Abusing #Chrome extensions for data #exfiltration and C&C traffic – a new @sans_isc diary about a novel way to abuse Google's infrastructure through Chrome extensions. Enjoy the read at https://t.co/j3gJsMq5Pl#SANS
— Bojan Zdrnja (@bojanz) February 4, 2021
How to be safe?
The solution suggested by Zdrnja is to use Chrome’s enterprise features and group policy support. This will allow only safe extensions to be installed on the browser saving the users from an infected one.