SHARE
Security / April 13, 2018

More Extensions, More Money, More Problems

ATR  

Updated October 14, 2021.

In January, the Gigamon Applied Threat Research (ATR) team disclosed the presence of malicious Google Chrome extensions that were impacting over a half-million endpoints worldwide, enabling a massive click-fraud campaign and exposing significant risk to enterprises. After notifying Google, these extensions were removed from the Chrome store from users as well. Over the past two months, the Gigamon ATR team continued to monitor for and identify new Chrome extensions suspected of engaging in similar click-fraud activity. This resulted in the identification of 35 additional extensions impacting at least 153,000 additional victims.

This blog will reveal details on the 35 additional extensions that we have uncovered, summarize offensive possibilities of browser extensions, and provide defensive recommendations including detection and prevention suggestions. It is our goal that continued analysis of this activity and release of technical indicators will better equip organizations to combat this threat and inspire the implementation of preventative controls.

The Gigamon ATR team reported these malicious extensions to Google’s Safe Browsing Operations team on 4/10/18. These extensions were removed from the Chrome Web Store on 4/11/18.

Additional Malicious Extensions

SRT’s continued monitoring efforts resulted in the identification of the extensions listed in Figure 1, which have all been observed injecting click-fraud malware after installation. For a technical overview on these extensions, we recommend reviewing the previous blog post. Based on the behaviors and network infrastructure, we assess that this activity is directly associated to the previously reported malicious Chrome extensions. The capabilities and injection technique in these extensions could enable significantly more harmful activities and therefore pose a risk to enterprise environments. The Gigamon ATR team presumes that it is likely that there are additional extensions involved in this campaign that remain undiscovered.

NameExtension IDUsersAssociated Domain
Make it Rain Extension for Google Chromekpdbpckemafdmfkfphbpohlljkimnppg23,296 make-it-rain[.]info
What Fonthohfebhgndoinhkmgcilobohekbhndga23,121what-font[.]info
Fidget Spinner – Online Spinningilbhjfopkkghamdeielkhilghjeajaha17,377fidget-spinner-online[.]info
Split Screen Layouts – Tab Layoutsijpmdegjjcjomfgcmpeggcfkmpbmfjhe15,412split-screen-layouts[.]info
Messenger for FB™oonhhaopdfdpcmhjgpjcjnakgbefngij12,559messenger-for-fb[.]info
Download Procnmckkmibbdlcpeinbmbbnljfocepplp8,833download-pro[.]info
Eyedropper for Chrome (Color Pick)caiamknjlgmmapghdpkclpdecdapbhjl8,817eyedropper-for-chrome[.]info
Select translatorfggpapnokdmcagooedemcgfhpcidnnbc 7,547select-translator[.]info
Audio Equalizer for Chromedjbfpplfepkbhlgbjlkicgomibdgajdo7,029equalizer-for-chrome[.]info
Page Auto Refreshgbacofhdlmoakebnfciollcbpnaaepll6,620page-auto-refresh[.]info
Night Screenopmgglagcpchfpkhiddoldabakdkiafl4,033night-screen[.]info
Responsinator – Responsive Web Design Tester lpjjoahccbikjgljpiglhhjcdefijofk3,200responsinator[.]info
Web Rulerkgnahkoacnoahnoephenbbdimnfnkcih2,961web-ruler[.]info
Hero Video Downloaderbkbmblkoligiepeiikoobjkmfpnhcfne2,279hero-video-downloader[.]info
Web keyboardcoblickdgmopfeigiljfpipoimlmfgni1,288web-keyboard[.]info
Calculator for chromecppodmcamcphompkpimnjcelbbhkipem1,263calculator-for-chrome[.]info
Popup Window for YouTubehapdkihnhiadeiolocdihoonnmfdbcbk1,274popup-window[.]info
Dark Mode for Youtubemklihabhmibnnljbkhepcepaamoagejk999dark-mode-for-youtube[.]info
Zoomit – Hover Zoomoogbaaolfhpoopkmpicohpppmdolgfdk914zoom-it[.]info
Synonym for Chromeicchggboamoimbgbeldefbllnclpkdak900synonym-for-chrome[.]info
Group Invite All for FBfgjedplemcjfaoobgiadbnjpjbbhodad784group-invite-all[.]info
Free Dark Themesmncjhnllpohmionejiigjnmibelmhdoo773free-dark-themes[.]info
Emoji for Chromemhjkihhhpgllnianmdcigihekigldnap637emoji-for-chrome[.]info
Cleaner for Chromebccjmmebjpnnjfiijcohnfcohdgljmkf450cleaner-for-chrome[.]info
Professional Image Downloadercneafklfjmhchljcgcmjgfkfkmancjfh332professional-image-downloader[.]info
PopUp Blockkglcafgaealflddlgcbjcppjpnobjbnl270popup-block[.]info
Copy All Urlshmohkjflepfkableepiehdehdfamabff175copy-all-urls[.]info
Download Manageropfcjkdakkoooncoegnkiklglldgkbmp107download-manager[.]info
Highlight Keywordsicilihloianbooemjccfkdjdomihpllm68highlight-keywords[.]info
One Click Full Page Screenshotdchgeccnjiagagglakifiaoejhmcejdd44one-click-screenshot[.]info
Free Dictionarygpdiekfipckckibicafneiefljjolcak38free-dictionary[.]info
Simple Readerjhoncmkfpmfjkellcnnhmekddepadehm37simple-reader[.]info
Easy Tab Managerconiahfhkdjfindlcljeoodlpbcoofki19easy-tab-manager[.]info
Refresh Allljblmoabhdlkobebmokdnbfbfgjniiia9refresh-all[.]info
Read Later – Save To Pocketbjhklcgekimdipkdhobggjojmejfhfhm4read-later[.]info
Table 1: Newly discovered extensions that enable click-fraud activity

Offensive Chrome Extensions

Malicious extensions could be extremely useful throughout an attack lifecycle for various post-exploitation techniques and leverage a user’s trust in Google to gain an advantage. The Gigamon ATR team tested this threat vector utilizing the injection of a custom developed javascript backdoor into a test extension via the getJSON method described in Part 1. After establishing access to the browser with our backdoor we determined it was relatively easy to achieve adversarial objectives with the following techniques:

  • Reboot Persistence: Browser extensions provide persistence on a victim system across reboots. Additionally, browser extensions can be run with the “background” permission to continue working when the browser is closed.
  • Browsing Screenshots: By leveraging the chrome.tabs.captureVisibleTab function of the Google Chrome API, a malicious actor could capture and exfiltrate screenshots of user browsing activity.
  • Keylogging of Websites: By leveraging the chrome.tabs.executeScript function of the Google Chrome API, a malicious actor could inject a javascript keylogger into web pages that utilizes the KeyboardEvent keyCode property to perform keylogging. The keylogging data could be exfiltrated through the extension via Chrome messaging.
  • Form Submission Hijacking: By leveraging the chrome.tabs.executeScript function of the Google Chrome API, a malicious actor could inject an eventListener that captures form data and exfiltrates it through the extension via Chrome messaging.
  • Man In The Browserby leveraging XmlHTTPRequests, a malicious actor could force the victim browser to submit web requests to targeted sites, including those that have established authentication sessions.

While no extensions have been discovered thus far exhibiting these characteristics, source code to perform the above techniques have been public for significant periods of time and largely have already been weaponized through frameworks such as BEEF, a browser exploitation framework. It should be noted that none of these features are vulnerabilities or issues with Chrome itself, rather they are natural functionality within Javascript and the Chrome API that are being used for nefarious purposes. All of these different techniques required permissions to be approved by the user, however, excessive permission use is common across extensions.

Defense from Chrome Extensions

The community response to our first release of malicious Google Chrome extensions was extremely positive. Google’s Safe Browsing Operations team responded quickly and removed the extensions from the store.

Detection

Following our first post, public IDS signatures were released in the Emerging Threats signature set. These signatures (SID 2025220 and SID 2025221) have provided high confidence indications of activity. It should be noted that the signatures are identifying actor controlled content which can be evaded with relative ease.

Plus, we have identified the following network characteristics associated with the extensions, which will be helpful for teams searching or identifying this activity:

  • All of the command and control servers utilized across the extensions identified to date existed in the 109.206.0[.]0/16 subnet and had the ASN of 50245 (Serverel Inc).
  • The involved domains each had TLDs of either “.info” or “.pro”
  • The network communications can also be fingerprinted via the following methods:
    • HTTP POST requests with an empty request body.
    • Google Chrome user-agent string (i.e. “ Chrome/” in the user agent string)
    • Origin header set to a chrome extension id for cross-origin requests. (e.g. “Origin: chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)
  • Traffic visiting known ad networks that do not include a referrer in the HTTP request or access to the ad network “search-engine[.]pro”

For those leveraging endpoint tools to profile or inventory Google Chrome extensions in their enterprise, understanding the artifacts present for extensions could be helpful. Through testing on various operating systems, we found the following paths are where extensions are installed:

  • Mac OSX: /Users/${USER}/Library/Application Support/Google/Chrome/Default/Extensions
  • Windows:  C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extensions
  • Linux: ~/.config/google-chrome/Default/Extensions/

Windows Enterprise Extensions

While there are many preventative controls that can be done, organizations can attempt to address the installation of unauthorized at scale in a Microsoft Windows domain through Group Policy Objects (GPO). Google has released deployment documentation that can assist in locking down the ability for users to install arbitrary extensions through Windows GPOs. The features within Active Directory are extremely useful and enable you to properly control user installed applications and extensions.

Wrap Up

While the activity we have observed in the wild has been of relatively low impact on users to date, nothing prevents targeted attackers from using extensions as a gateway to sensitive user information and corporate resources. It is crucial that enterprises implement layers of preventative controls paired with detection capabilities to ensure that they do not fall prey to these techniques.

The Gigamon ATR team expects that the actor responsible for the behavior disclosed in this post, or other actors leveraging Google Chrome, will continue to expand their operations for financial gain or other nefarious purposes outlined above. With this information, organizations can take the appropriate steps to help mitigate risk from unauthorized Chrome extensions.

The Gigamon ATR team is a network security analytics group that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. As part of its research, the Gigamon ATR team coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts. Gigamon Insight customers are monitored for this malicious activity via our Detections feature. To learn more about the Gigamon ATR team, please visit www.gigamon.com/research/applied-threat-research-team.html.

This article was written by ATR team members Justin Warner and Spencer Walden.

Appendix A: Indicators

Indicator Type Related Extenstion
sk1.make-it-rain[.]infoDomain kpdbpckemafdmfkfphbpohlljkimnppg
po1.what-font[.]infoDomainhohfebhgndoinhkmgcilobohekbhndga
po2.what-font[.]infoDomainhohfebhgndoinhkmgcilobohekbhndga
po3.what-font[.]infoDomainhohfebhgndoinhkmgcilobohekbhndga
po4.what-font[.]infoDomainhohfebhgndoinhkmgcilobohekbhndga
sk1.fidget-spinner-online[.]infoDomainilbhjfopkkghamdeielkhilghjeajaha
ig1.split-screen-layouts[.]infoDomainijpmdegjjcjomfgcmpeggcfkmpbmfjhe
ig2.split-screen-layouts[.]infoDomainijpmdegjjcjomfgcmpeggcfkmpbmfjhe
ig1.messenger-for-fb[.]infoDomainoonhhaopdfdpcmhjgpjcjnakgbefngij
ig2.messenger-for-fb[.]infoDomainoonhhaopdfdpcmhjgpjcjnakgbefngij
po1.download-pro[.]infoDomaincnmckkmibbdlcpeinbmbbnljfocepplp
po2.download-pro[.]infoDomaincnmckkmibbdlcpeinbmbbnljfocepplp
po3.download-pro[.]infoDomaincnmckkmibbdlcpeinbmbbnljfocepplp
po4.download-pro[.]infoDomaincnmckkmibbdlcpeinbmbbnljfocepplp
gb1.eyedropper-for-chrome[.]info Domaincaiamknjlgmmapghdpkclpdecdapbhjl
ac1.select-translator[.]infoDomainfggpapnokdmcagooedemcgfhpcidnnbc
gb1.equalizer-for-chrome[.]infoDomaindjbfpplfepkbhlgbjlkicgomibdgajdo
po1.page-auto-refresh[.]infoDomaingbacofhdlmoakebnfciollcbpnaaepll
po2.page-auto-refresh[.]infoDomaingbacofhdlmoakebnfciollcbpnaaepll
po3.page-auto-refresh[.]infoDomaingbacofhdlmoakebnfciollcbpnaaepll
po4.page-auto-refresh[.]infoDomaingbacofhdlmoakebnfciollcbpnaaepll
po1.night-screen[.]infoDomainopmgglagcpchfpkhiddoldabakdkiafl
po2.night-screen[.]infoDomainopmgglagcpchfpkhiddoldabakdkiafl
po3.night-screen[.]infoDomainopmgglagcpchfpkhiddoldabakdkiafl
po4.night-screen[.]infoDomainopmgglagcpchfpkhiddoldabakdkiafl
ig1.responsinator[.]infoDomainlpjjoahccbikjgljpiglhhjcdefijofk
ig2.responsinator[.]infoDomainlpjjoahccbikjgljpiglhhjcdefijofk
ac1.web-ruler[.]infoDomainkgnahkoacnoahnoephenbbdimnfnkcih
ac1.hero-video-downloader[.]infoDomainbkbmblkoligiepeiikoobjkmfpnhcfne
ac1.web-keyboard[.]infoDomaincoblickdgmopfeigiljfpipoimlmfgni
ac1.calculator-for-chrome[.]infoDomaincppodmcamcphompkpimnjcelbbhkipem
po1.popup-window[.]infoDomainhapdkihnhiadeiolocdihoonnmfdbcbk
po2.popup-window[.]infoDomainhapdkihnhiadeiolocdihoonnmfdbcbk
po3.popup-window[.]infoDomainhapdkihnhiadeiolocdihoonnmfdbcbk
po4.popup-window[.]infoDomainhapdkihnhiadeiolocdihoonnmfdbcbk
ig1.dark-mode-for-youtube[.]info Domainmklihabhmibnnljbkhepcepaamoagejk
ig2.dark-mode-for-youtube[.]infoDomainmklihabhmibnnljbkhepcepaamoagejk
ac1.zoom-it[.]infoDomainoogbaaolfhpoopkmpicohpppmdolgfdk
ig1.synonym-for-chrome[.]infoDomainicchggboamoimbgbeldefbllnclpkdak
ig2.synonym-for-chrome[.]infoDomainicchggboamoimbgbeldefbllnclpkdak
ig1.group-invite-all[.]infoDomainfgjedplemcjfaoobgiadbnjpjbbhodad
ig2.group-invite-all[.]infoDomainfgjedplemcjfaoobgiadbnjpjbbhodad
ac1.free-dark-themes[.]infoDomainmncjhnllpohmionejiigjnmibelmhdoo
ac1.emoji-for-chrome[.]infoDomainmhjkihhhpgllnianmdcigihekigldnap
ig1.cleaner-for-chrome[.]infoDomainbccjmmebjpnnjfiijcohnfcohdgljmkf
ig2.cleaner-for-chrome[.]infoDomainbccjmmebjpnnjfiijcohnfcohdgljmkf
ac1.professional-image-downloader[.]infoDomaincneafklfjmhchljcgcmjgfkfkmancjfh
ac1.popup-block[.]infoDomainkglcafgaealflddlgcbjcppjpnobjbnl
ig1.copy-all-urls[.]infoDomainhmohkjflepfkableepiehdehdfamabff
ig2.copy-all-urls[.]infoDomainhmohkjflepfkableepiehdehdfamabff
ac1.download-manager[.]infoDomainopfcjkdakkoooncoegnkiklglldgkbmp
ig1.highlight-keywords[.]infoDomainicilihloianbooemjccfkdjdomihpllm
ig2.highlight-keywords[.]infoDomainicilihloianbooemjccfkdjdomihpllm
sk1.one-click-screenshot[.]infoDomaindchgeccnjiagagglakifiaoejhmcejdd
ig1.free-dictionary[.]infoDomaingpdiekfipckckibicafneiefljjolcak
ig2.free-dictionary[.]infoDomaingpdiekfipckckibicafneiefljjolcak
ac1.simple-reader[.]infoDomainjhoncmkfpmfjkellcnnhmekddepadehm
ig1.easy-tab-manager[.]infoDomainconiahfhkdjfindlcljeoodlpbcoofki
ig2.easy-tab-manager[.]infoDomainconiahfhkdjfindlcljeoodlpbcoofki
ac1.refresh-all[.]infoDomainljblmoabhdlkobebmokdnbfbfgjniiia
ig1.read-later[.]infoDomainbjhklcgekimdipkdhobggjojmejfhfhm
ig2.read-later[.]infoDomainbjhklcgekimdipkdhobggjojmejfhfhm
109.106.164.6IP Addresshohfebhgndoinhkmgcilobohekbhndga
109.106.176.189IP Addressilbhjfopkkghamdeielkhilghjeajaha
109.206.161.110IP Address hohfebhgndoinhkmgcilobohekbhndga cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk
109.206.164.6IP Addresscnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk
109.206.164.7IP Addresshohfebhgndoinhkmgcilobohekbhndga cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk
109.206.176.171IP Addressijpmdegjjcjomfgcmpeggcfkmpbmfjhe oonhhaopdfdpcmhjgpjcjnakgbefngij lpjjoahccbikjgljpiglhhjcdefijofk mklihabhmibnnljbkhepcepaamoagejk icchggboamoimbgbeldefbllnclpkdak fgjedplemcjfaoobgiadbnjpjbbhodad bccjmmebjpnnjfiijcohnfcohdgljmkf hmohkjflepfkableepiehdehdfamabff icilihloianbooemjccfkdjdomihpllm gpdiekfipckckibicafneiefljjolcak conia
hfhkdjfindlcljeoodlpbcoofki bjhklcgekimdipkdhobggjojmejfhfhm
109.206.176.172IP Addressijpmdegjjcjomfgcmpeggcfkmpbmfjhe oonhhaopdfdpcmhjgpjcjnakgbefngij lpjjoahccbikjgljpiglhhjcdefijofk mklihabhmibnnljbkhepcepaamoagejk icchggboamoimbgbeldefbllnclpkdak fgjedplemcjfaoobgiadbnjpjbbhodad bccjmmebjpnnjfiijcohnfcohdgljmkf hmohkjflepfkableepiehdehdfamabff icilihloianbooemjccfkdjdomihpllm
gpdiekfipckckibicafneiefljjolcak coniahfhkdjfindlcljeoodlpbcoofki bjhklcgekimdipkdhobggjojmejfhfhm
109.206.176.188IP Addresshohfebhgndoinhkmgcilobohekbhndga cnmckkmibbdlcpeinbmbbnljfocepplp gbacofhdlmoakebnfciollcbpnaaepll opmgglagcpchfpkhiddoldabakdkiafl hapdkihnhiadeiolocdihoonnmfdbcbk
109.206.176.189IP Addressdchgeccnjiagagglakifiaoejhmcejdd kpdbpckemafdmfkfphbpohlljkimnppg
109.206.176.190IP Addressfggpapnokdmcagooedemcgfhpcidnnbc kgnahkoacnoahnoephenbbdimnfnkcih bkbmblkoligiepeiikoobjkmfpnhcfne coblickdgmopfeigiljfpipoimlmfgni cppodmcamcphompkpimnjcelbbhkipem oogbaaolfhpoopkmpicohpppmdolgfdk mncjhnllpohmionejiigjnmibelmhdoo mhjkihhhpgllnianmdcigihekigldnap cneafklfjmhchljcgcmjgfkfkmancjfh kglcafgaealflddlgcbjcppjpnobjbnl opfcjkdakkoooncoegnkiklglldgkbmp jhoncmkfpmfjkellcnnhmekddepadehm ljblmoabhdlkobebmokdnbfbfgjniiia
109.206.176.170IP Addressdjbfpplfepkbhlgbjlkicgomibdgajdo caiamknjlgmmapghdpkclpdecdapbhjl

}
Back to top