A report by security company Radware suggests that Google Chrome users were exposed to yet another wave of malicious extensions offered to them on the official Chrome Web Store.

The extensions were used to perform "credential theft, cryptoming, click fraud, and more" according to Radware.

The company detected the family of new malware for Google Chrome with the help of machine-learning algorithms which it ran on a customer's computer network.

Security firm ICEBRG identified another set of malicious Chrome extensions earlier this year, and 2018 was also the year that extensions with Session Replay functionality appeared in the Store.

Another wave of malicious Chrome extensions detected

According to Radware's analysis, the malware has been active since at least March 2018. It infected more than 100,000 user devices in over 100 countries, and pushed at least seven different Chrome extensions with malicious content using the following attack vector:

• The attackers use Facebook advertisement to reach potential victims.
• Users are redirected to fake YouTube pages.
• A prompt is displayed asking them to install a Chrome extension to play the video.
• The click on "add extension" installs the extension and makes the user part of the botnet.
• The malicious JavaScript is executed on installation which downloads additional code from a command center.

The extensions that the attackers used were copies of popular Chrome extensions with malicious, obfuscated code, added to them.

Radware identified the following extensions:

• Nigelify
• PwnerLike
• Alt-j
• Fix-case
• Divinity 2 Original Sin: Wiki Skill Popup
• keeprivate
• iHabno

You can check the company blog for extension IDs and other information. Google removed all of them in the meantime.

The malware has multiple purposes:

• Steal Facebook account data by sending Facebook login cookies or Instagram cookies to the command center.
• Create a Facebook API token if signed in to Facebook and steal it as well.
• Spread the malware through Facebook using the user's friends network. This happens either as messages in Facebook Messenger or new Facebook posts that uses contact name tags.
• Mine cryptocurrency using the user's browser. The malware could mine three different coins (Monero, Bytecoin, and Electroneum).

The attackers created several protective measures to prevent users from interfering with the operation.

• It monitored Chrome's extensions management page and closed it whenever the user tried to open it.
• Prevents access to cleanup tools on Facebook and in Chrome, and it tried to prevent users from editing or deleting posts, or making comments.
• Use the browser to watch or like YouTube videos, or write comments.

Closing Words

The identification of the malware happened by accident. Radware's machine-learning algorithm detected the malware and that led to the identification of the network and the removal from the Google Chrome Store.

Considering that the attackers operated the extensions as early as March 2018, it is clear -- again -- that Google's protective system does not work properly.

Chrome users need to verify any extension before they hit the install button. A rule of thumb is that you should never install extensions that prompt you to do so outside of the Chrome Web Store but since malicious extensions are always hosted in the Store, it is not a 100% safeguard against these.

The main issue here is that the majority of users can't verify if a Chrome extension is legitimate or not as it requires analyzing its code.

This leaves running Chrome without extensions as the only option to stay safe.