Authored by Oliver Devane and Vallabh CholeĀ
A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000
The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPageĀ
Apart from offering the intended functionality, the extensions also track the userās browsing activity.Ā Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.Ā Ā Ā Ā
The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.Ā Ā
The 5 extensions areĀ Ā
NameĀ | Extension IDĀ | UsersĀ |
Netflix PartyĀ | mmnbenehknklpbendgmgngeaignppnbeĀ | 800,000Ā |
Netflix Party 2Ā |
flijfnhifgdcbhglkneplegafminjnhnĀ | 300,000Ā |
FlipShope ā Price Tracker ExtensionĀ Ā |
adikhbfjdbjkhelbdnffogkobkekkkejĀ | 80,000Ā |
Full Page Screenshot Capture ā ScreenshottingĀ Ā |
pojgkmkfincpdkdgjepkmdekcahmckjpĀ | 200,000Ā |
AutoBuy Flash SalesĀ | gbnahglfafmhaehbdmjedfhdmimjcbedĀ | 20,000Ā |
Ā
Technical AnalysisĀ
This section contains the technical analysis of the malicious chrome extension āmmnbenehknklpbendgmgngeaignppnbeā. All 5 extensions perform similar behavior.Ā Ā Ā
Manifest.jsonĀ
Ā
The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites.Ā
B0.jsĀ
The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.Ā Ā
Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.
Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:
VariableĀ | DescriptionĀ |
RefĀ | Base64 encoded referral URLĀ |
CountyĀ | The county of the deviceĀ |
CityĀ | The city of the deviceĀ |
ZipĀ | The zip code of the deviceĀ |
ApisendĀ | A random ID generated for the user.Ā |
NameĀ | Base64 encoded URL being visitedĀ |
ext_nameĀ | The name of the chrome extensionsĀ |
Ā
The random ID is created by selecting 8 random characters in a character set. The code is shown below:Ā
The country, city, and zip are gathered using ip-api.com. The code is shown below:Ā
Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below:Ā
The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains.Ā
Two of the functions are detailed below:Ā
Result[ācā] ā passf_urlĀ
If the result is ācā such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.Ā Ā
Result[āeā] setCookieĀ
If the result is āeā, the extension would insert the result as a cookie. We were unable to find a response of āeā during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ācookieā permissions.Ā Ā
Behavioral flowĀ
The images below show the step-by-step flow of events while navigating to the BestBuy website.Ā Ā
- The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/Ā
- Langhort.com responds with ācā and the URL. The ācā means the extension will invoke the function passf_url()Ā
- passf_url() will perform a request against the URLĀ
- the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension ownersĀ
- The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the userĀ
- Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.comĀ Ā
Here is a video of the eventsĀ
Time delay to avoid automated analysisĀ
We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.Ā Ā
ConclusionāÆĀ
This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.Ā Ā
McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.āÆāÆĀ
The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blogāÆĀ
McAfee customers are protected against theāÆmalicious sites detailed in this blogāÆas they are blocked with McAfee WebAdvisorāÆas shown below.āÆāÆĀ
The Malicious code within the extension is detected as JTI/Suspect. Please perform a āFullā scan via the product.āÆĀ
TypeĀ | ValueĀ | ProductĀ | DetectedĀ |
Chrome ExtensionĀ | Netflix Party ā mmnbenehknklpbendgmgngeaignppnbeĀ | Total Protection and LiveSafeĀ | JTI/SuspectĀ |
Chrome ExtensionĀ | FlipShope ā Price Tracker Extension ā adikhbfjdbjkhelbdnffogkobkekkkejĀ | Total Protection and LiveSafeĀ | JTI/SuspectĀ |
Chrome ExtensionĀ | Full Page Screenshot CaptureĀ
pojgkmkfincpdkdgjepkmdekcahmckjpĀ |
Total Protection and LiveSafeĀ | JTI/SuspectĀ |
Chrome ExtensionĀ | Netflix Party 2 ā flijfnhifgdcbhglkneplegafminjnhnĀ | Total Protection and LiveSafeĀ | JTI/SuspectĀ |
Chrome ExtensionĀ | AutoBuy Flash SalesĀ gbnahglfafmhaehbdmjedfhdmimjcbedĀ | Total Protection and LiveSafeĀ | JTI/SuspectĀ |
URLĀ | www.netflixparty1.comĀ | McAfee WebAdvisorĀ | BlockedĀ |
URLĀ | netflixpartyplus.comĀ | McAfee WebAdvisorĀ | BlockedĀ |
URLĀ | flipshope.comĀ | McAfee WebAdvisorĀ | BlockedĀ |
URLĀ | goscreenshotting.comĀ | McAfee WebAdvisorĀ | BlockedĀ |
URLĀ | langhort.comĀ | McAfee WebAdvisorĀ | BlockedĀ |
URLĀ | Unscart.inĀ | McAfee WebAdvisorĀ | BlockedĀ |
URLĀ | autobuyapp.comĀ | McAfee WebAdvisorĀ | BlockedĀ |