MORE EXTENSIONS, MORE MONEY, MORE PROBLEMS

April 13, 2018

By: Spencer Walden, Justin Warner
  • Tags:
  • Click-Fraud
  • Threat Research

In January, ICEBRG disclosed the presence of malicious Google Chrome extensions that were impacting over a half-million endpoints worldwide, enabling a massive click-fraud campaign and exposing significant risk to enterprises. After notifying Google, these extensions were removed from the Chrome store from users as well. Over the past two months, ICEBRG’s Security Research Team (SRT) continued to monitor for and identify new Chrome extensions suspected of engaging in similar click-fraud activity. This resulted in the identification of 35 additional extensions impacting at least 153,000 additional victims.

This blog will reveal details on the 35 additional extensions that we have uncovered, summarize offensive possibilities of browser extensions, and provide defensive recommendations including detection and prevention suggestions. It is our goal that continued analysis of this activity and release of technical indicators will better equip organizations to combat this threat and inspire the implementation of preventative controls.

ICEBRG reported these malicious extensions to Google’s Safe Browsing Operations team on 4/10/18. These extensions were removed from the Chrome Web Store on 4/11/18.

Additional Malicious Extensions

SRT’s continued monitoring efforts resulted in the identification of the extensions listed in Figure 1, which have all been observed injecting click-fraud malware after installation. For a technical overview on these extensions, we recommend reviewing the previous blog post. Based on the behaviors and network infrastructure, we assess that this activity is directly associated to the previously reported malicious Chrome extensions. The capabilities and injection technique in these extensions could enable significantly more harmful activities and therefore pose a risk to enterprise environments. ICEBRG presumes that it is likely that there are additional extensions involved in this campaign that remain undiscovered.

Name

Extension ID

Users

Associated Domains

Make it Rain Extension for Google Chrome

kpdbpckemafdmfkfphbpohlljkimnppg

23,296

make-it-rain[.]info

What Font

hohfebhgndoinhkmgcilobohekbhndga

23,121

what-font[.]info

Fidget Spinner - Online Spinning

ilbhjfopkkghamdeielkhilghjeajaha

17,377

fidget-spinner-online[.]info

Split Screen Layouts - Tab Layouts

ijpmdegjjcjomfgcmpeggcfkmpbmfjhe

15,412

split-screen-layouts[.]info

Messenger for FB™

oonhhaopdfdpcmhjgpjcjnakgbefngij

12,559

messenger-for-fb[.]info

Download Pro

cnmckkmibbdlcpeinbmbbnljfocepplp

8,833

download-pro[.]info

Eyedropper for Chrome (Color Pick)

caiamknjlgmmapghdpkclpdecdapbhjl

8,817

eyedropper-for-chrome[.]info

Select translator

fggpapnokdmcagooedemcgfhpcidnnbc

7,547

select-translator[.]info

Audio Equalizer for Chrome

djbfpplfepkbhlgbjlkicgomibdgajdo

7,029

equalizer-for-chrome[.]info

Page Auto Refresh

gbacofhdlmoakebnfciollcbpnaaepll

6,620

page-auto-refresh[.]info

Night Screen

opmgglagcpchfpkhiddoldabakdkiafl

4,033

night-screen[.]info

Responsinator - Responsive Web Design Tester

lpjjoahccbikjgljpiglhhjcdefijofk

3,200

responsinator[.]info

Web Ruler

kgnahkoacnoahnoephenbbdimnfnkcih

2,961

web-ruler[.]info

Hero Video Downloader

bkbmblkoligiepeiikoobjkmfpnhcfne

2,279

hero-video-downloader[.]info

Web keyboard

coblickdgmopfeigiljfpipoimlmfgni

1,288

web-keyboard[.]info

Calculator for chrome

cppodmcamcphompkpimnjcelbbhkipem

1,263

calculator-for-chrome[.]info

Popup Window for YouTube

hapdkihnhiadeiolocdihoonnmfdbcbk

1,274

popup-window[.]info

Dark Mode for Youtube

mklihabhmibnnljbkhepcepaamoagejk

999

dark-mode-for-youtube[.]info

Zoomit - Hover Zoom

oogbaaolfhpoopkmpicohpppmdolgfdk

914

zoom-it[.]info

Synonym for Chrome

icchggboamoimbgbeldefbllnclpkdak

900

synonym-for-chrome[.]info

Group Invite All for FB

fgjedplemcjfaoobgiadbnjpjbbhodad

784

group-invite-all[.]info

Free Dark Themes

mncjhnllpohmionejiigjnmibelmhdoo

773

free-dark-themes[.]info

Emoji for Chrome

mhjkihhhpgllnianmdcigihekigldnap

637

emoji-for-chrome[.]info

Cleaner for Chrome

bccjmmebjpnnjfiijcohnfcohdgljmkf

450

cleaner-for-chrome[.]info

Professional Image Downloader

cneafklfjmhchljcgcmjgfkfkmancjfh

332

professional-image-downloader[.]info

PopUp Block

kglcafgaealflddlgcbjcppjpnobjbnl

270

popup-block[.]info

Copy All Urls

hmohkjflepfkableepiehdehdfamabff

175

copy-all-urls[.]info

Download Manager

opfcjkdakkoooncoegnkiklglldgkbmp

107

download-manager[.]info

Highlight Keywords

icilihloianbooemjccfkdjdomihpllm

68

highlight-keywords[.]info

One Click Full Page Screenshot

dchgeccnjiagagglakifiaoejhmcejdd

44

one-click-screenshot[.]info

Free Dictionary

gpdiekfipckckibicafneiefljjolcak

38

free-dictionary[.]info

Simple Reader

jhoncmkfpmfjkellcnnhmekddepadehm

37

simple-reader[.]info

Easy Tab Manager

coniahfhkdjfindlcljeoodlpbcoofki

19

easy-tab-manager[.]info

Refresh All

ljblmoabhdlkobebmokdnbfbfgjniiia

9

refresh-all[.]info

Read Later - Save To Pocket

bjhklcgekimdipkdhobggjojmejfhfhm

4

read-later[.]info

Figure 1: Table listing newly discovered extensions that enable click-fraud activity


Offense of Chrome Extensions

Malicious extensions could be extremely useful throughout an attack lifecycle for various post-exploitation techniques and leverage a user’s trust in Google to gain an advantage. ICEBRG’s SRT tested this threat vector utilizing the injection of a custom developed javascript backdoor into a test extension via the getJSON method described in Part 1. After establishing access to the browser with our backdoor we determined it was relatively easy to achieve adversarial objectives with the following techniques:

  • Reboot Persistence: Browser extensions provide persistence on a victim system across reboots. Additionally, browser extensions can be run with the “background” permission to continue working when the browser is closed.

  • Browsing Screenshots: By leveraging the chrome.tabs.captureVisibleTab function of the Google Chrome API, a malicious actor could capture and exfiltrate screenshots of user browsing activity.

  • Keylogging of Websites: By leveraging the chrome.tabs.executeScript function of the Google Chrome API, a malicious actor could inject a javascript keylogger into web pages that utilizes the KeyboardEvent keyCode property to perform keylogging. The keylogging data could be exfiltrated through the extension via Chrome messaging.

  • Form Submission Hijacking: By leveraging the chrome.tabs.executeScript function of the Google Chrome API, a malicious actor could inject an eventListener that captures form data and exfiltrates it through the extension via Chrome messaging.

  • Man In The Browser: by leveraging XmlHTTPRequests, a malicious actor could force the victim browser to submit web requests to targeted sites, including those that have established authentication sessions.

While no extensions have been discovered thus far exhibiting these characteristics, source code to perform the above techniques have been public for significant periods of time and largely have already been weaponized through frameworks such as BEEF, a browser exploitation framework. It should be noted that none of these features are vulnerabilities or issues with Chrome itself, rather they are natural functionality within Javascript and the Chrome API that are being used for nefarious purposes. All of these different techniques required permissions to be approved by the user, however, excessive permission use is common across extensions.

Defense From Chrome Extensions

The community response to our first release of malicious Google Chrome extensions was extremely positive. Google’s Safe Browsing Operations team responded quickly and removed the extensions from the store.

Detection

Following our first post, public IDS signatures were released in the Emerging Threats signature set. These signatures (SID 2025220 and SID 2025221) have provided high confidence indications of activity. It should be noted that the signatures are identifying actor controlled content which can be evaded with relative ease.

Plus, we have identified the following network characteristics associated with the extensions, which will be helpful for teams searching or identifying this activity:

  • All of the command and control servers utilized across the extensions identified to date existed in the 109.206.0[.]0/16 subnet and had the ASN of 50245 (Serverel Inc).

  • The involved domains each had TLDs of either “.info” or “.pro”

  • The network communications can also be fingerprinted via the following methods:

    • HTTP POST requests with an empty request body.

    • Google Chrome user-agent string (i.e. “ Chrome/” in the user agent string)

    • Origin header set to a chrome extension id for cross-origin requests. (e.g. “Origin: chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”)

  • Traffic visiting known ad networks that do not include a referrer in the HTTP request or access to the ad network “search-engine[.]pro”

For those leveraging endpoint tools to profile or inventory Google Chrome extensions in their enterprise, understanding the artifacts present for extensions could be helpful. Through testing on various operating systems, we found the following paths are where extensions are installed:

  • Mac OSX:  
    /Users/${USER}/Library/Application Support/Google/Chrome/Default/Extensions

  • Windows:
    C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Extensions

  • Linux:
    ~/.config/google-chrome/Default/Extensions/

Windows Enterprise Prevention

While there are many preventative controls that can be done, organizations can attempt to address the installation of unauthorized at scale in a Microsoft Windows domain through Group Policy Objects (GPO). Google has released deployment documentation that can assist in locking down the ability for users to install arbitrary extensions through Windows GPOs. The features within Active Directory are extremely useful and enable you to properly control user installed applications and extensions.

Wrap Up

While the activity we have observed in the wild has been of relatively low impact on users to date, nothing prevents targeted attackers from using extensions as a gateway to sensitive user information and corporate resources. It is crucial that enterprises implement layers of preventative controls paired with detection capabilities to ensure that they do not fall prey to these techniques.

ICEBRG expects that the actor responsible for the behavior disclosed in this post, or other actors leveraging Google Chrome, will continue to expand their operations for financial gain or other nefarious purposes outlined above. With this information, organizations can take the appropriate steps to help mitigate risk from unauthorized Chrome extensions.

ICEBRG SRT members Justin Warner and Spencer Walden will be presenting on this topic at BSidesSF on April 16th at 3:30pm. The presentation will include a full walkthrough of the the malicious toolkit as well as discussion on offensive use cases and defensive control.

ICEBRG is a network security analytics company that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. As part of its research, ICEBRG coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts. ICEBRG customers are monitored for this malicious activity via our Detections feature. To learn more about ICEBRG, contact us at [email protected].


Appendix A: Indicators

Indicator

Type

Related Extension

sk1.make-it-rain[.]info

Domain

kpdbpckemafdmfkfphbpohlljkimnppg

po1.what-font[.]info

Domain

hohfebhgndoinhkmgcilobohekbhndga

po2.what-font[.]info

Domain

hohfebhgndoinhkmgcilobohekbhndga

po3.what-font[.]info

Domain

hohfebhgndoinhkmgcilobohekbhndga

po4.what-font[.]info

Domain

hohfebhgndoinhkmgcilobohekbhndga

sk1.fidget-spinner-online[.]info

Domain

ilbhjfopkkghamdeielkhilghjeajaha

ig1.split-screen-layouts[.]info

Domain

ijpmdegjjcjomfgcmpeggcfkmpbmfjhe

ig2.split-screen-layouts[.]info

Domain

ijpmdegjjcjomfgcmpeggcfkmpbmfjhe

ig1.messenger-for-fb[.]info

Domain

oonhhaopdfdpcmhjgpjcjnakgbefngij

ig2.messenger-for-fb[.]info

Domain

oonhhaopdfdpcmhjgpjcjnakgbefngij

po1.download-pro[.]info

Domain

cnmckkmibbdlcpeinbmbbnljfocepplp

po2.download-pro[.]info

Domain

cnmckkmibbdlcpeinbmbbnljfocepplp

po3.download-pro[.]info

Domain

cnmckkmibbdlcpeinbmbbnljfocepplp

po4.download-pro[.]info

Domain

cnmckkmibbdlcpeinbmbbnljfocepplp

gb1.eyedropper-for-chrome[.]info

Domain

caiamknjlgmmapghdpkclpdecdapbhjl

ac1.select-translator[.]info

Domain

fggpapnokdmcagooedemcgfhpcidnnbc

gb1.equalizer-for-chrome[.]info

Domain

djbfpplfepkbhlgbjlkicgomibdgajdo

po1.page-auto-refresh[.]info

Domain

gbacofhdlmoakebnfciollcbpnaaepll

po2.page-auto-refresh[.]info

Domain

gbacofhdlmoakebnfciollcbpnaaepll

po3.page-auto-refresh[.]info

Domain

gbacofhdlmoakebnfciollcbpnaaepll

po4.page-auto-refresh[.]info

Domain

gbacofhdlmoakebnfciollcbpnaaepll

po1.night-screen[.]info

Domain

opmgglagcpchfpkhiddoldabakdkiafl

po2.night-screen[.]info

Domain

opmgglagcpchfpkhiddoldabakdkiafl

po3.night-screen[.]info

Domain

opmgglagcpchfpkhiddoldabakdkiafl

po4.night-screen[.]info

Domain

opmgglagcpchfpkhiddoldabakdkiafl

ig1.responsinator[.]info

Domain

lpjjoahccbikjgljpiglhhjcdefijofk

ig2.responsinator[.]info

Domain

lpjjoahccbikjgljpiglhhjcdefijofk

ac1.web-ruler[.]info

Domain

kgnahkoacnoahnoephenbbdimnfnkcih

ac1.hero-video-downloader[.]info

Domain

bkbmblkoligiepeiikoobjkmfpnhcfne

ac1.web-keyboard[.]info

Domain

coblickdgmopfeigiljfpipoimlmfgni

ac1.calculator-for-chrome[.]info

Domain

cppodmcamcphompkpimnjcelbbhkipem

po1.popup-window[.]info

Domain

hapdkihnhiadeiolocdihoonnmfdbcbk

po2.popup-window[.]info

Domain

hapdkihnhiadeiolocdihoonnmfdbcbk

po3.popup-window[.]info

Domain

hapdkihnhiadeiolocdihoonnmfdbcbk

po4.popup-window[.]info

Domain

hapdkihnhiadeiolocdihoonnmfdbcbk

ig1.dark-mode-for-youtube[.]info

Domain

mklihabhmibnnljbkhepcepaamoagejk

ig2.dark-mode-for-youtube[.]info

Domain

mklihabhmibnnljbkhepcepaamoagejk

ac1.zoom-it[.]info

Domain

oogbaaolfhpoopkmpicohpppmdolgfdk

ig1.synonym-for-chrome[.]info

Domain

icchggboamoimbgbeldefbllnclpkdak

ig2.synonym-for-chrome[.]info

Domain

icchggboamoimbgbeldefbllnclpkdak

ig1.group-invite-all[.]info

Domain

fgjedplemcjfaoobgiadbnjpjbbhodad

ig2.group-invite-all[.]info

Domain

fgjedplemcjfaoobgiadbnjpjbbhodad

ac1.free-dark-themes[.]info

Domain

mncjhnllpohmionejiigjnmibelmhdoo

ac1.emoji-for-chrome[.]info

Domain

mhjkihhhpgllnianmdcigihekigldnap

ig1.cleaner-for-chrome[.]info

Domain

bccjmmebjpnnjfiijcohnfcohdgljmkf

ig2.cleaner-for-chrome[.]info

Domain

bccjmmebjpnnjfiijcohnfcohdgljmkf

ac1.professional-image-downloader[.]info

Domain

cneafklfjmhchljcgcmjgfkfkmancjfh

ac1.popup-block[.]info

Domain

kglcafgaealflddlgcbjcppjpnobjbnl

ig1.copy-all-urls[.]info

Domain

hmohkjflepfkableepiehdehdfamabff

ig2.copy-all-urls[.]info

Domain

hmohkjflepfkableepiehdehdfamabff

ac1.download-manager[.]info

Domain

opfcjkdakkoooncoegnkiklglldgkbmp

ig1.highlight-keywords[.]info

Domain

icilihloianbooemjccfkdjdomihpllm

ig2.highlight-keywords[.]info

Domain

icilihloianbooemjccfkdjdomihpllm

sk1.one-click-screenshot[.]info

Domain

dchgeccnjiagagglakifiaoejhmcejdd

ig1.free-dictionary[.]info

Domain

gpdiekfipckckibicafneiefljjolcak

ig2.free-dictionary[.]info

Domain

gpdiekfipckckibicafneiefljjolcak

ac1.simple-reader[.]info

Domain

jhoncmkfpmfjkellcnnhmekddepadehm

ig1.easy-tab-manager[.]info

Domain

coniahfhkdjfindlcljeoodlpbcoofki

ig2.easy-tab-manager[.]info

Domain

coniahfhkdjfindlcljeoodlpbcoofki

ac1.refresh-all[.]info

Domain

ljblmoabhdlkobebmokdnbfbfgjniiia

ig1.read-later[.]info

Domain

bjhklcgekimdipkdhobggjojmejfhfhm

ig2.read-later[.]info

Domain

bjhklcgekimdipkdhobggjojmejfhfhm

109.106.164.6

IP Address

hohfebhgndoinhkmgcilobohekbhndga

109.106.176.189

IP Address

ilbhjfopkkghamdeielkhilghjeajaha

109.206.161.110

IP Address

hohfebhgndoinhkmgcilobohekbhndga

cnmckkmibbdlcpeinbmbbnljfocepplp

gbacofhdlmoakebnfciollcbpnaaepll

opmgglagcpchfpkhiddoldabakdkiafl

hapdkihnhiadeiolocdihoonnmfdbcbk

109.206.164.6

IP Address

cnmckkmibbdlcpeinbmbbnljfocepplp

gbacofhdlmoakebnfciollcbpnaaepll

opmgglagcpchfpkhiddoldabakdkiafl

hapdkihnhiadeiolocdihoonnmfdbcbk

109.206.164.7

IP Address

hohfebhgndoinhkmgcilobohekbhndga

cnmckkmibbdlcpeinbmbbnljfocepplp

gbacofhdlmoakebnfciollcbpnaaepll

opmgglagcpchfpkhiddoldabakdkiafl

hapdkihnhiadeiolocdihoonnmfdbcbk

109.206.176.171

IP Address

ijpmdegjjcjomfgcmpeggcfkmpbmfjhe

oonhhaopdfdpcmhjgpjcjnakgbefngij

lpjjoahccbikjgljpiglhhjcdefijofk

mklihabhmibnnljbkhepcepaamoagejk

icchggboamoimbgbeldefbllnclpkdak

fgjedplemcjfaoobgiadbnjpjbbhodad

bccjmmebjpnnjfiijcohnfcohdgljmkf

hmohkjflepfkableepiehdehdfamabff

icilihloianbooemjccfkdjdomihpllm

gpdiekfipckckibicafneiefljjolcak

coniahfhkdjfindlcljeoodlpbcoofki

bjhklcgekimdipkdhobggjojmejfhfhm

109.206.176.172

IP Address

ijpmdegjjcjomfgcmpeggcfkmpbmfjhe

oonhhaopdfdpcmhjgpjcjnakgbefngij

lpjjoahccbikjgljpiglhhjcdefijofk

mklihabhmibnnljbkhepcepaamoagejk

icchggboamoimbgbeldefbllnclpkdak

fgjedplemcjfaoobgiadbnjpjbbhodad

bccjmmebjpnnjfiijcohnfcohdgljmkf

hmohkjflepfkableepiehdehdfamabff

icilihloianbooemjccfkdjdomihpllm

gpdiekfipckckibicafneiefljjolcak

coniahfhkdjfindlcljeoodlpbcoofki

bjhklcgekimdipkdhobggjojmejfhfhm

109.206.176.188

IP Address

hohfebhgndoinhkmgcilobohekbhndga

cnmckkmibbdlcpeinbmbbnljfocepplp

gbacofhdlmoakebnfciollcbpnaaepll

opmgglagcpchfpkhiddoldabakdkiafl

hapdkihnhiadeiolocdihoonnmfdbcbk

109.206.176.189

IP Address

dchgeccnjiagagglakifiaoejhmcejdd

kpdbpckemafdmfkfphbpohlljkimnppg

109.206.176.190

IP Address

fggpapnokdmcagooedemcgfhpcidnnbc

kgnahkoacnoahnoephenbbdimnfnkcih

bkbmblkoligiepeiikoobjkmfpnhcfne

coblickdgmopfeigiljfpipoimlmfgni

cppodmcamcphompkpimnjcelbbhkipem

oogbaaolfhpoopkmpicohpppmdolgfdk

mncjhnllpohmionejiigjnmibelmhdoo

mhjkihhhpgllnianmdcigihekigldnap

cneafklfjmhchljcgcmjgfkfkmancjfh

kglcafgaealflddlgcbjcppjpnobjbnl

opfcjkdakkoooncoegnkiklglldgkbmp

jhoncmkfpmfjkellcnnhmekddepadehm

ljblmoabhdlkobebmokdnbfbfgjniiia

109.206.176.170

IP Address

djbfpplfepkbhlgbjlkicgomibdgajdo

caiamknjlgmmapghdpkclpdecdapbhjl