1Likes
LinkBack URL
About LinkBacksUS-based security firm ICEBRG revealed yesterday that it detected four malicious Google Chrome extensions at the official Chrome Web Store.
The extensions had a combined user count of more than 500,000 users at that time. The company notified Google and authorities about the extensions; Google pulled three of the four extensions from the Store in the meantime.
The extensions in question are Lite Bookmarks**, Stickies – Chrome’s Post-it Notes, Change HTTP Request Header and Nyoogle – Custom Logo for Google with Nyoogle still available at the official Web Store at the time of writing.
ICEBRG stumbled upon the malicious extensions during an investigation of a “suspicious spike in outbound traffic from a customer workstation.” It identified the Chrome extension Change HTTP Request Header as the culprit and began to analyze the extension’s behavior.
The company notes in a blog post that the extension itself was clean of malicious code but set up for JavaScript code injection. The technicalities are described in detail on the ICEBRG blog.
The author of the extension could inject and execute arbitrary JavaScript code. The security researchers noticed that obfuscated JavaScript code was retrieved from a control server to user systems with the extension. According to ICEBRG, the threat actor used this for “visiting advertising related domains”; a strong indicator for a click fraud campaign.
While the researchers did not notice other misbehavior by the extension, capabilities were in place to use it for other means.
The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.
The detected extensions use similar methods, but it is unclear if they are operated by the same group. It seems likely considering the similarity of methods used to bypass Google’s automated checks of Chrome extension uploads and behavior.
Chrome users should verify on chrome://extensions that none of the extensions are installed. It is recommended that you remove these extensions immediately.
Closing Words
Google’s automated system that checks Chrome extensions before they are offered on the Store is severely broken. The last year alone saw a number of incidents where malicious Chrome extensions slipped past Google’s detection routines to infect hundreds of thousands of user systems.
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
-
01-16-2018 #1sednaGuest
Security firm ICEBRG uncovers 4 malicious Chrome extensions
kirill likes this.
Reply With Quote
