More Extensions, More Money, More Problems
Updated October 14, 2021.
In January, the Gigamon Applied Threat Research (ATR) team disclosed the presence of malicious Google Chrome extensions that were impacting over a half-million endpoints worldwide, enabling a massive click-fraud campaign and exposing significant risk to enterprises. After notifying Google, these extensions were removed from the Chrome store from users as well. Over the past two months, the Gigamon ATR team continued to monitor for and identify new Chrome extensions suspected of engaging in similar click-fraud activity. This resulted in the identification of 35 additional extensions impacting at least 153,000 additional victims.
This blog will reveal details on the 35 additional extensions that we have uncovered, summarize offensive possibilities of browser extensions, and provide defensive recommendations including detection and prevention suggestions. It is our goal that continued analysis of this activity and release of technical indicators will better equip organizations to combat this threat and inspire the implementation of preventative controls.
The Gigamon ATR team reported these malicious extensions to Google’s Safe Browsing Operations team on 4/10/18. These extensions were removed from the Chrome Web Store on 4/11/18.
Additional Malicious Extensions
SRT’s continued monitoring efforts resulted in the identification of the extensions listed in Figure 1, which have all been observed injecting click-fraud malware after installation. For a technical overview on these extensions, we recommend reviewing the previous blog post. Based on the behaviors and network infrastructure, we assess that this activity is directly associated to the previously reported malicious Chrome extensions. The capabilities and injection technique in these extensions could enable significantly more harmful activities and therefore pose a risk to enterprise environments. The Gigamon ATR team presumes that it is likely that there are additional extensions involved in this campaign that remain undiscovered.
Name | Extension ID | Users | Associated Domain |
---|---|---|---|
Make it Rain Extension for Google Chrome | kpdbpckemafdmfkfphbpohlljkimnppg | 23,296 | make-it-rain[.]info |
What Font | hohfebhgndoinhkmgcilobohekbhndga | 23,121 | what-font[.]info |
Fidget Spinner – Online Spinning | ilbhjfopkkghamdeielkhilghjeajaha | 17,377 | fidget-spinner-online[.]info |
Split Screen Layouts – Tab Layouts | ijpmdegjjcjomfgcmpeggcfkmpbmfjhe | 15,412 | split-screen-layouts[.]info |
Messenger for FB™ | oonhhaopdfdpcmhjgpjcjnakgbefngij | 12,559 | messenger-for-fb[.]info |
Download Pro | cnmckkmibbdlcpeinbmbbnljfocepplp | 8,833 | download-pro[.]info |
Eyedropper for Chrome (Color Pick) | caiamknjlgmmapghdpkclpdecdapbhjl | 8,817 | eyedropper-for-chrome[.]info |
Select translator | fggpapnokdmcagooedemcgfhpcidnnbc | 7,547 | select-translator[.]info |
Audio Equalizer for Chrome | djbfpplfepkbhlgbjlkicgomibdgajdo | 7,029 | equalizer-for-chrome[.]info |
Page Auto Refresh | gbacofhdlmoakebnfciollcbpnaaepll | 6,620 | page-auto-refresh[.]info |
Night Screen | opmgglagcpchfpkhiddoldabakdkiafl | 4,033 | night-screen[.]info |
Responsinator – Responsive Web Design Tester | lpjjoahccbikjgljpiglhhjcdefijofk | 3,200 | responsinator[.]info |
Web Ruler | kgnahkoacnoahnoephenbbdimnfnkcih | 2,961 | web-ruler[.]info |
Hero Video Downloader | bkbmblkoligiepeiikoobjkmfpnhcfne | 2,279 | hero-video-downloader[.]info |
Web keyboard | coblickdgmopfeigiljfpipoimlmfgni | 1,288 | web-keyboard[.]info |
Calculator for chrome | cppodmcamcphompkpimnjcelbbhkipem | 1,263 | calculator-for-chrome[.]info |
Popup Window for YouTube | hapdkihnhiadeiolocdihoonnmfdbcbk | 1,274 | popup-window[.]info |
Dark Mode for Youtube | mklihabhmibnnljbkhepcepaamoagejk | 999 | dark-mode-for-youtube[.]info |
Zoomit – Hover Zoom | oogbaaolfhpoopkmpicohpppmdolgfdk | 914 | zoom-it[.]info |
Synonym for Chrome | icchggboamoimbgbeldefbllnclpkdak | 900 | synonym-for-chrome[.]info |
Group Invite All for FB | fgjedplemcjfaoobgiadbnjpjbbhodad | 784 | group-invite-all[.]info |
Free Dark Themes | mncjhnllpohmionejiigjnmibelmhdoo | 773 | free-dark-themes[.]info |
Emoji for Chrome | mhjkihhhpgllnianmdcigihekigldnap | 637 | emoji-for-chrome[.]info |
Cleaner for Chrome | bccjmmebjpnnjfiijcohnfcohdgljmkf | 450 | cleaner-for-chrome[.]info |
Professional Image Downloader | cneafklfjmhchljcgcmjgfkfkmancjfh | 332 | professional-image-downloader[.]info |
PopUp Block | kglcafgaealflddlgcbjcppjpnobjbnl | 270 | popup-block[.]info |
Copy All Urls | hmohkjflepfkableepiehdehdfamabff | 175 | copy-all-urls[.]info |
Download Manager | opfcjkdakkoooncoegnkiklglldgkbmp | 107 | download-manager[.]info |
Highlight Keywords | icilihloianbooemjccfkdjdomihpllm | 68 | highlight-keywords[.]info |
One Click Full Page Screenshot | dchgeccnjiagagglakifiaoejhmcejdd | 44 | one-click-screenshot[.]info |
Free Dictionary | gpdiekfipckckibicafneiefljjolcak | 38 | free-dictionary[.]info |
Simple Reader | jhoncmkfpmfjkellcnnhmekddepadehm | 37 | simple-reader[.]info |
Easy Tab Manager | coniahfhkdjfindlcljeoodlpbcoofki | 19 | easy-tab-manager[.]info |
Refresh All | ljblmoabhdlkobebmokdnbfbfgjniiia | 9 | refresh-all[.]info |
Read Later – Save To Pocket | bjhklcgekimdipkdhobggjojmejfhfhm | 4 | read-later[.]info |
Offensive Chrome Extensions
Malicious extensions could be extremely useful throughout an attack lifecycle for various post-exploitation techniques and leverage a user’s trust in Google to gain an advantage. The Gigamon ATR team tested this threat vector utilizing the injection of a custom developed javascript backdoor into a test extension via the getJSON method described in Part 1. After establishing access to the browser with our backdoor we determined it was relatively easy to achieve adversarial objectives with the following techniques:
- Reboot Persistence: Browser extensions provide persistence on a victim system across reboots. Additionally, browser extensions can be run with the “background” permission to continue working when the browser is closed.
- Browsing Screenshots: By leveraging the chrome.tabs.captureVisibleTab function of the Google Chrome API, a malicious actor could capture and exfiltrate screenshots of user browsing activity.
- Keylogging of Websites: By leveraging the chrome.tabs.executeScript function of the Google Chrome API, a malicious actor could inject a javascript keylogger into web pages that utilizes the KeyboardEvent keyCode property to perform keylogging. The keylogging data could be exfiltrated through the extension via Chrome messaging.
- Form Submission Hijacking: By leveraging the chrome.tabs.executeScript function of the Google Chrome API, a malicious actor could inject an eventListener that captures form data and exfiltrates it through the extension via Chrome messaging.
- Man In The Browser: by leveraging XmlHTTPRequests, a malicious actor could force the victim browser to submit web requests to targeted sites, including those that have established authentication sessions.
While no extensions have been discovered thus far exhibiting these characteristics, source code to perform the above techniques have been public for significant periods of time and largely have already been weaponized through frameworks such as BEEF, a browser exploitation framework. It should be noted that none of these features are vulnerabilities or issues with Chrome itself, rather they are natural functionality within Javascript and the Chrome API that are being used for nefarious purposes. All of these different techniques required permissions to be approved by the user, however, excessive permission use is common across extensions.
Defense from Chrome Extensions
The community response to our first release of malicious Google Chrome extensions was extremely positive. Google’s Safe Browsing Operations team responded quickly and removed the extensions from the store.
Detection
Following our first post, public IDS signatures were released in the Emerging Threats signature set. These signatures (SID 2025220 and SID 2025221) have provided high confidence indications of activity. It should be noted that the signatures are identifying actor controlled content which can be evaded with relative ease.
Plus, we have identified the following network characteristics associated with the extensions, which will be helpful for teams searching or identifying this activity:
- All of the command and control servers utilized across the extensions identified to date existed in the 109.206.0[.]0/16 subnet and had the ASN of 50245 (Serverel Inc).
- The involved domains each had TLDs of either “.info” or “.pro”
- The network communications can also be fingerprinted via the following methods:
- HTTP POST requests with an empty request body.
- Google Chrome user-agent string (i.e. “ Chrome/” in the user agent string)
- Origin header set to a chrome extension id for cross-origin requests. (e.g. “Origin: chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)
- Traffic visiting known ad networks that do not include a referrer in the HTTP request or access to the ad network “search-engine[.]pro”
For those leveraging endpoint tools to profile or inventory Google Chrome extensions in their enterprise, understanding the artifacts present for extensions could be helpful. Through testing on various operating systems, we found the following paths are where extensions are installed:
- Mac OSX: /Users/${USER}/Library/Application Support/Google/Chrome/Default/Extensions
- Windows: C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extensions
- Linux: ~/.config/google-chrome/Default/Extensions/
Windows Enterprise Extensions
While there are many preventative controls that can be done, organizations can attempt to address the installation of unauthorized at scale in a Microsoft Windows domain through Group Policy Objects (GPO). Google has released deployment documentation that can assist in locking down the ability for users to install arbitrary extensions through Windows GPOs. The features within Active Directory are extremely useful and enable you to properly control user installed applications and extensions.
Wrap Up
While the activity we have observed in the wild has been of relatively low impact on users to date, nothing prevents targeted attackers from using extensions as a gateway to sensitive user information and corporate resources. It is crucial that enterprises implement layers of preventative controls paired with detection capabilities to ensure that they do not fall prey to these techniques.
The Gigamon ATR team expects that the actor responsible for the behavior disclosed in this post, or other actors leveraging Google Chrome, will continue to expand their operations for financial gain or other nefarious purposes outlined above. With this information, organizations can take the appropriate steps to help mitigate risk from unauthorized Chrome extensions.
The Gigamon ATR team is a network security analytics group that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. As part of its research, the Gigamon ATR team coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts. Gigamon Insight customers are monitored for this malicious activity via our Detections feature. To learn more about the Gigamon ATR team, please visit www.gigamon.com/research/applied-threat-research-team.html.
This article was written by ATR team members Justin Warner and Spencer Walden.
Appendix A: Indicators
Indicator | Type | Related Extenstion |
---|---|---|
sk1.make-it-rain[.]info | Domain | kpdbpckemafdmfkfphbpohlljkimnppg |
po1.what-font[.]info | Domain | hohfebhgndoinhkmgcilobohekbhndga |
po2.what-font[.]info | Domain | hohfebhgndoinhkmgcilobohekbhndga |
po3.what-font[.]info | Domain | hohfebhgndoinhkmgcilobohekbhndga |
po4.what-font[.]info | Domain | hohfebhgndoinhkmgcilobohekbhndga |
sk1.fidget-spinner-online[.]info | Domain | ilbhjfopkkghamdeielkhilghjeajaha |
ig1.split-screen-layouts[.]info | Domain | ijpmdegjjcjomfgcmpeggcfkmpbmfjhe |
ig2.split-screen-layouts[.]info | Domain | ijpmdegjjcjomfgcmpeggcfkmpbmfjhe |
ig1.messenger-for-fb[.]info | Domain | oonhhaopdfdpcmhjgpjcjnakgbefngij |
ig2.messenger-for-fb[.]info | Domain | oonhhaopdfdpcmhjgpjcjnakgbefngij |
po1.download-pro[.]info | Domain | cnmckkmibbdlcpeinbmbbnljfocepplp |
po2.download-pro[.]info | Domain | cnmckkmibbdlcpeinbmbbnljfocepplp |
po3.download-pro[.]info | Domain | cnmckkmibbdlcpeinbmbbnljfocepplp |
po4.download-pro[.]info | Domain | cnmckkmibbdlcpeinbmbbnljfocepplp |
gb1.eyedropper-for-chrome[.]info | Domain | caiamknjlgmmapghdpkclpdecdapbhjl |
ac1.select-translator[.]info | Domain | fggpapnokdmcagooedemcgfhpcidnnbc |
gb1.equalizer-for-chrome[.]info | Domain | djbfpplfepkbhlgbjlkicgomibdgajdo |
po1.page-auto-refresh[.]info | Domain | gbacofhdlmoakebnfciollcbpnaaepll |
po2.page-auto-refresh[.]info | Domain | gbacofhdlmoakebnfciollcbpnaaepll |
po3.page-auto-refresh[.]info | Domain | gbacofhdlmoakebnfciollcbpnaaepll |
po4.page-auto-refresh[.]info | Domain | gbacofhdlmoakebnfciollcbpnaaepll |
po1.night-screen[.]info | Domain | opmgglagcpchfpkhiddoldabakdkiafl |
po2.night-screen[.]info | Domain | opmgglagcpchfpkhiddoldabakdkiafl |
po3.night-screen[.]info | Domain | opmgglagcpchfpkhiddoldabakdkiafl |
po4.night-screen[.]info | Domain | opmgglagcpchfpkhiddoldabakdkiafl |
ig1.responsinator[.]info | Domain | lpjjoahccbikjgljpiglhhjcdefijofk |
ig2.responsinator[.]info | Domain | lpjjoahccbikjgljpiglhhjcdefijofk |
ac1.web-ruler[.]info | Domain | kgnahkoacnoahnoephenbbdimnfnkcih |
ac1.hero-video-downloader[.]info | Domain | bkbmblkoligiepeiikoobjkmfpnhcfne |
ac1.web-keyboard[.]info | Domain | coblickdgmopfeigiljfpipoimlmfgni |
ac1.calculator-for-chrome[.]info | Domain | cppodmcamcphompkpimnjcelbbhkipem |
po1.popup-window[.]info | Domain | hapdkihnhiadeiolocdihoonnmfdbcbk |
po2.popup-window[.]info | Domain | hapdkihnhiadeiolocdihoonnmfdbcbk |
po3.popup-window[.]info | Domain | hapdkihnhiadeiolocdihoonnmfdbcbk |
po4.popup-window[.]info | Domain | hapdkihnhiadeiolocdihoonnmfdbcbk |
ig1.dark-mode-for-youtube[.]info | Domain | mklihabhmibnnljbkhepcepaamoagejk |
ig2.dark-mode-for-youtube[.]info | Domain | mklihabhmibnnljbkhepcepaamoagejk |
ac1.zoom-it[.]info | Domain | oogbaaolfhpoopkmpicohpppmdolgfdk |
ig1.synonym-for-chrome[.]info | Domain | icchggboamoimbgbeldefbllnclpkdak |
ig2.synonym-for-chrome[.]info | Domain | icchggboamoimbgbeldefbllnclpkdak |
ig1.group-invite-all[.]info | Domain | fgjedplemcjfaoobgiadbnjpjbbhodad |
ig2.group-invite-all[.]info | Domain | fgjedplemcjfaoobgiadbnjpjbbhodad |
ac1.free-dark-themes[.]info | Domain | mncjhnllpohmionejiigjnmibelmhdoo |
ac1.emoji-for-chrome[.]info | Domain | mhjkihhhpgllnianmdcigihekigldnap |
ig1.cleaner-for-chrome[.]info | Domain | bccjmmebjpnnjfiijcohnfcohdgljmkf |
ig2.cleaner-for-chrome[.]info | Domain | bccjmmebjpnnjfiijcohnfcohdgljmkf |
ac1.professional-image-downloader[.]info | Domain | cneafklfjmhchljcgcmjgfkfkmancjfh |
ac1.popup-block[.]info | Domain | kglcafgaealflddlgcbjcppjpnobjbnl |
ig1.copy-all-urls[.]info | Domain | hmohkjflepfkableepiehdehdfamabff |
ig2.copy-all-urls[.]info | Domain | hmohkjflepfkableepiehdehdfamabff |
ac1.download-manager[.]info | Domain | opfcjkdakkoooncoegnkiklglldgkbmp |
ig1.highlight-keywords[.]info | Domain | icilihloianbooemjccfkdjdomihpllm |
ig2.highlight-keywords[.]info | Domain | icilihloianbooemjccfkdjdomihpllm |
sk1.one-click-screenshot[.]info | Domain | dchgeccnjiagagglakifiaoejhmcejdd |
ig1.free-dictionary[.]info | Domain | gpdiekfipckckibicafneiefljjolcak |
ig2.free-dictionary[.]info | Domain | gpdiekfipckckibicafneiefljjolcak |
ac1.simple-reader[.]info | Domain | jhoncmkfpmfjkellcnnhmekddepadehm |
ig1.easy-tab-manager[.]info | Domain | coniahfhkdjfindlcljeoodlpbcoofki |
ig2.easy-tab-manager[.]info | Domain | coniahfhkdjfindlcljeoodlpbcoofki |
ac1.refresh-all[.]info | Domain | ljblmoabhdlkobebmokdnbfbfgjniiia |
ig1.read-later[.]info | Domain | bjhklcgekimdipkdhobggjojmejfhfhm |
ig2.read-later[.]info | Domain | bjhklcgekimdipkdhobggjojmejfhfhm |
109.106.164.6 | IP Address | hohfebhgndoinhkmgcilobohekbhndga |
109.106.176.189 | IP Address | ilbhjfopkkghamdeielkhilghjeajaha |
109.206.161.110 | IP Address | hohfebhgndoinhkmgcilobohekbhndga cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk |
109.206.164.6 | IP Address | cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk |
109.206.164.7 | IP Address | hohfebhgndoinhkmgcilobohekbhndga cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk |
109.206.176.171 | IP Address | ijpmdegjjcjomfgcmpeggcfkmpbmfjhe oonhhaopdfdpcmhjgpjcjnakgbefngij lpjjoahccbikjgljpiglhhjcdefijofk mklihabhmibnnljbkhepcepaamoagejk icchggboamoimbgbeldefbllnclpkdak fgjedplemcjfaoobgiadbnjpjbbhodad bccjmmebjpnnjfiijcohnfcohdgljmkf hmohkjflepfkableepiehdehdfamabff icilihloianbooemjccfkdjdomihpllm gpdiekfipckckibicafneiefljjolcak conia hfhkdjfindlcljeoodlpbcoofki bjhklcgekimdipkdhobggjojmejfhfhm |
109.206.176.172 | IP Address | ijpmdegjjcjomfgcmpeggcfkmpbmfjhe oonhhaopdfdpcmhjgpjcjnakgbefngij lpjjoahccbikjgljpiglhhjcdefijofk mklihabhmibnnljbkhepcepaamoagejk icchggboamoimbgbeldefbllnclpkdak fgjedplemcjfaoobgiadbnjpjbbhodad bccjmmebjpnnjfiijcohnfcohdgljmkf hmohkjflepfkableepiehdehdfamabff icilihloianbooemjccfkdjdomihpllm gpdiekfipckckibicafneiefljjolcak coniahfhkdjfindlcljeoodlpbcoofki bjhklcgekimdipkdhobggjojmejfhfhm |
109.206.176.188 | IP Address | hohfebhgndoinhkmgcilobohekbhndga cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk |
109.206.176.189 | IP Address | dchgeccnjiagagglakifiaoejhmcejdd kpdbpckemafdmfkfphbpohlljkimnppg |
109.206.176.190 | IP Address | fggpapnokdmcagooedemcgfhpcidnnbc kgnahkoacnoahnoephenbbdimnfnkcih bkbmblkoligiepeiikoobjkmfpnhcfne coblickdgmopfeigiljfpipoimlmfgni cppodmcamcphompkpimnjcelbbhkipem oogbaaolfhpoopkmpicohpppmdolgfdk mncjhnllpohmionejiigjnmibelmhdoo mhjkihhhpgllnianmdcigihekigldnap cneafklfjmhchljcgcmjgfkfkmancjfh kglcafgaealflddlgcbjcppjpnobjbnl opfcjkdakkoooncoegnkiklglldgkbmp jhoncmkfpmfjkellcnnhmekddepadehm ljblmoabhdlkobebmokdnbfbfgjniiia |
109.206.176.170 | IP Address | djbfpplfepkbhlgbjlkicgomibdgajdo caiamknjlgmmapghdpkclpdecdapbhjl |