Maksim Pasko - Fotolia

Researchers discover malicious Chrome extensions

Security researchers have discovered a new botnet delivered via malicious Chrome extensions designed to hijack computers to mine cryptocurrency and record victims’ every move

Nearly 90 malicious Google Chrome extensions have been discovered in the official Chrome store that can inject into visited websites, ads, cryptocurrency mining code, and code to record browsing activities.

More than 400,000 computers have been infected by these malicious Chrome extensions, according to researchers at security firm Trend Micro.

The botnet, dubbed Droidclub, is designed to abuse legitimate session replay libraries to violate victims’ privacy, the researchers said.

Although researchers have predicted the abuse of these libraries that are meant to be used by website owners to replay a user’s visit to a website, this is the first time this abuse by attackers has been seen in the wild, according to Joseph Chen, fraud researcher at Trend Micro.

“The attacker gets the user to install these malicious Chrome extensions via a mix of Malvertising [malicious advertising] and social engineering,” he wrote in a blog post.

The extension, once installed, is designed to check if the botnet command and control (C&C) server is online, download any needed configuration code, and report back to the C&C server. This process is repeated every five minutes.

A browser infected with Droidclub will periodically pop up a new tab displaying web advertising. The URL and the frequency are both sent as part of the configuration information from the C&C server.

The researchers believe the botnet was being used in this way to artificially raise the impressions of certain ads, resulting in increased views and revenue.

Droidclub is also designed to modify the contents of viewed websites, including adding external links to certain keywords that go to ads and replacing existing ads.

A legitimate web analytics Javascript library from Yandex Metrica is also injected into visited websites on the victim’s browser to record actions, including mouse clicks, scrolling and keystrokes.

“Unfortunately, in the hands of an attacker, this represents a very powerful tool that can breach the user’s privacy. The combination of the extension and the library can steal data entered into forms such as names, credit card numbers, CVV numbers, email addresses and phone numbers, but not passwords,” said Chen.

The researchers also discovered that a previous version of Droidclub was still active in the wild that appears to have been created in April 2017, with the newer version created in November 2017.

The earlier version connects to the same C&C servers and appears to focus on injecting cryptocurrency mining code. According to security researchers at Proofpoint, while cryptocurrencies can no longer be mined effectively on desktop computers, a distributed botnet can prove quite lucrative for its operators.

Read more about cryptocurrency cyber attacks

Droidclub is designed so that users will have a more difficult time attempting to uninstall and report the malicious extension. If the extension detects that the user is trying to report the extension through official Google Chrome channels, the user is redirected to the introduction page of their extension. If a user tries to remove the extension via Chrome’s extension management page, the malicious extension redirects the user to a fake page, which leads the user to believe that the extension has been uninstalled.

Trend Micro said there are several ways to mitigate this threat:

  • Reduce the display of malvertisements through the use of web blocking services or script blockers that block these malicious sites from being displayed in the first place.
  • User awareness training helps reduce the risks of users acting on any commands given to them by false error messages.
  • Systems administrators can set Chrome policies that will bar users from installing extensions on their systems to prevent attacks such as this.

Trend Micro has also contacted Google, which has removed these extensions from the official Chrome web store. In addition, the C&C servers have been removed from Cloudflare.

According to Google, the affected extensions have been removed from the Chrome Web Store and disabled on devices of all affected Chrome users.

“Currently, our security systems block more than 1,000 malicious extensions per month. If an extension looks suspicious, we encourage users to report it as potential abuse through the Chrome Web Store page so we can review it in greater depth,” Google said in a statement to Trend Micro.

Read more on Web application security

Data Center
Data Management