Malware analysis

Chrome extensions used to steal users' secrets

Pedro Tavares
October 19, 2022 by
Pedro Tavares

We are living in an era where technology is part of our lives. The usage of utilities to make our daily tasks easier and boost their efficiency and accuracy is an essential factor these days. As a result, new extensions emerge daily, a large volume with good intent and others taking advantage of bad purposes to benefit criminals.

McAfee highlighted in its recent publication some Chrome extensions used by crooks to get some benefits using affiliate IDs in eCommerce websites visited by victims. According to McAfee's analysis, more than 1,400,000 users were affected and victims of this schema from the five analyzed extensions.

Figure 1: Malicious Chrome extensions scrutinized by the McAfee research team.

As observed, these extensions have a specific purpose depending on their nature. One of them is related to Netflix and enables users to watch Netflix content together; another can be used to take screenshots of a website, etc. However, these extensions also track the users’ browsing activity, sending information to a C2 server controlled by criminals and tampering with cookies on the victims' web browsers to receive affiliate payment for purchased items.    

Digging into the details

We can summarize the malicious process with the following flow:

  1. Initially, details about the victims’ machines are sent to the criminals’ side, including:
    • Geolocation (city, zip code obtained via an online API)
    • Referral URL
    • APIsend value (random ID generated in runtime)
    • The eCommerce website visited
    • Extension name
  2. If the target eCommerce website is in a target list of affiliates, then proceed
  3. The tampering process happens, and an affiliate ID is added
  4. Criminals receive the benefit without the victim's authorization and knowledge

Figure 2 shows details about the victim machine collected in the “TrackData” request and sent to the C2 server.

Figure 2: Details about the victim machine collected during the navigation process.

If a match occurs with a hardcoded list of affiliate eCommerce websites, then a JSON response is obtained with the details for the tampering process. Criminals meticulously test the malicious process, and two different tampering operations are received, namely:

  • Result[‘c’] – passf_url: A specific iframe will be injected over the target website.
  • Result[‘e’] setCookie: The cookie will be tampered with via the affiliate ID.

Figure 3: Source code responsible for setting the cookie on the target eCommerce website.

The next Figure shows the scenario when a specific iframe is injected, and the cookie is modified with the target affiliate ID.

Figure 4: Iframe injected in specific website with the cookie modified with the target affiliate ID.

During the McAfee analysis, the researchers also identified a routine capable of bypassing schema detection. In detail, every time the victim runs the extensions, it validates the current date with the installation time. If it is > 15 days from the time of installation, then proceed. With this trick, criminals can avoid automated analysis and security checks.

Part of the mentioned routine is presented below, where the getTime() call is used to obtain the current time and compared if it is > 15 days after its installation.

Figure 5: Anti-detection mechanism found during the extension analysis.

Being careful with Chrome extensions 

Due to the exponential growth of online services, different extensions have been released in the last few years to facilitate and improve the users’ experience. From the criminals' point of view, we can see this as an ideal scenario, and the number of extensions with bad intent has emerged quickly.

While there is no perfect formula for stopping threats of this nature, users should pay attention to the requested permissions and if the extension does what is supposed or announced. Also, the authenticity of the extension should be analyzed carefully, understanding if it is trustworthy, who the author is, examining the comments from other users, the extension rating, and simply by googling a bit about it.

The smallest sign or abnormal behavior should be an object of analysis. Be proactive.

 

Sources:

Malicious Chrome extensions, McAfee

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.