Chrome extensions exploited in a massive PUA campaign

Credit to Author: Prashil Moon| Date: Thu, 11 Jan 2018 10:58:26 +0000

Browser extensions also known as add-ons or plug-ins are simple programs that extend the functionality of a web browser making it more convenient to use and giving a better browsing experience. Browser extensions are commonly used to Enhance the appearance as per convenience (E.g., a plug-in called Momentum converts a new tab into a personal dashboard with a to-do list, personalized greetings, etc.) Add to the functionality of the browser (E.g., the SpeakIt plug-in is used to read selected text on the screen) Incorporate with other services and features (g., Mozbar plug-in is a toolbar used to analyze websites and backlinks) To enhance browser extensions, the browser software vendor and third-party developers use different technologies such as browser altering plug-in called BHO (Browser Helper Object), APIs (Application Programming Interfaces), etc. Web Technologies such as JavaScript, HTML and Visual Scripts are also used widely to develop browser extensions which get infused directly into the web pages upon loading. It goes without saying that these widely used extensions have become the most known malware attack vectors causing page redirection, spyware infection, malvertising, coin mining, pop-ups, poor system performance, etc. Below are some of malware infection scenarios related to browser extensions: Browser Hijacking – contaminating existing and widely used browser extensions Installation of malicious extensions with bundled applications Accidental installation by a user while visiting malicious websites Comprehensive analysis of the massive PUA (Potentially Unwanted Application) campaign by Quick Heal Security Labs Given its popularity, Chrome browser extensions are being increasingly targeted by attackers. A PUA campaign was observed wherein clean code from legitimate chrome extensions was as it is copied in the malicious one along with the malicious content. After an in-depth analysis of these suspected Chrome extensions, Quick Heal Malware Reporting System identified around 1.2 million hijacked Chrome extensions. All these extensions have been cleaned by Quick Heal’s Real-time Protection in the last two months. Further reading Generally, Chrome extensions contain component files and an extension core written in HTML and JavaScript contributing towards a common purpose. These component files specify the fundamental information of extensions such as their display name, version, update information, and their actual funintentions. All these component files are present in a single folder of an extension that includes manifest.json and one or more scripts or HTML files for background, content, and popup. These files communicate with each other using a direct function call to each other. Usually, Chrome extensions look for an update from the update details specified in the extension file after a certain interval of time. Attackers misuse this very phenomenon to fulfill their ill intensions. In case of the PUA campaign observed by Quick Heal Security Labs, many of the Chrome extensions performing malicious activity were found to be similar to well-known and widely used Chrome extensions. Even the folder hierarchy of extensions, their component files, and fundamental functioning was also similar to the legitimate ones. As there are several Chrome extensions for various functionalities developed by the browser’s vendor as well as third-party developers, it is a daunting task to specify whether the extensions are clean or malicious. However, the task to find out the malicious ones is not impossible.  A close view of the hijacked extensions Figure 1 shows the comparison between the clean and the modified/hijacked extension script. As seen below, the hijacked extension contains exactly the same script code as that of the clean Chrome extension. However, a block of code with the actual functionality is modified with the malicious code in order to perform the intended malicious activity. Fig 1: Clean vs hijacked extension file In some of the cases observed, it has been found that extensions that were already installed were hijacked from the user’s system by modifying the code of their content files. Whereas, in some other cases, the malicious code was directly injected into the extension’s installation sites. As seen in the above figure 1, a block of script code of the existing script file has been modified with the malicious content responsible for the malicious activity. As the name and folder structure of the extension does not change after infection, it does not give out any signs of any malicious activity. Many of the…
http://blogs.quickheal.com/feed/