Priority: Medium

Executive Summary:
Google have removed 106 malicious browser extensions from the Chrome Web Store after being found malicious.

The malicious extensions are said to have posed as a variety of tools, such as file conversion tools and even security scanners. However, analysis of the extensions’ behaviour and code indicates that they had ulterior purposes, performing actions such as harvesting authentication cookies, reading data from the clipboard, taking screenshots, and logging keystrokes. At the time of publishing their report, the researchers had found a combined total of approximately 33 million downloads of the malicious extensions.[1]

Many of the extensions share the same assets, such as images and code snippets, and the researchers believe the extensions to be the work of a single threat actor, although they have not been able to positively identify the group – or groups – behind the attack campaigns. However, the culmination of the research is the conclusion that a domain registrar called ‘Gal Communication (CommuniGal) Ltd’, also known as ‘GalComm’, is, at the very least, complicit in the malicious activity. [2] The researchers identified 15,160 unique domains that were suspicious or malicious, all registered through GalComm, and many of the domains were registered immediately after expiry (“hijacked” domains). The practice of “hijacking” a domain is to avoid the inherently low reputation attributed to a newly registered domain; by using a domain that has been registered for many years and has been otherwise benign, attackers can bypass many web filtering techniques that rely on reputation scores. GalComm have yet to respond to the researchers’ questions, and further analysis indicates a prevalence for suspect behaviour from the registrar, leading the researchers to speculate that the registrar is complicit, as opposed to ignorant.

The researchers found that numerous techniques were employed by the attackers in order to evade detection. One of which was to trick the victim into downloading the Chromium browser, which would enable the attacker to bypass Chrome’s built-in security policies. This works particularly well, as the average user wouldn’t be able to tell the difference between Chrome and Chromium, or would assume they are the same thing and set the malicious version as their default browser.

The researchers have provided a list of the malicious browser extensions here and a list of malicious domains here. The lists are more useful for security teams, as they are file hashes or supplemented with further information. Users can check whether or not they have any malicious browser extensions installed by navigating to chrome://extensions in a new Chrome tab; Google will automatically mark and disable extensions that contain malicious code, and users should uninstall them immediately. Likewise, users should ensure that they are using Chrome browser, rather than the similar Chromium browser.

Affected Products:
The research does not extend to the plugins or extensions of other popular browsers, focusing only on Google Chrome. However, one of the evasion techniques used by the attackers was to package their malicious extension into an installation of Chromium, the open source package from which Chrome is derived. As such, users of the Chromium browser may also be affected.

Organisations should ensure that adequate monitoring is in place, and that the installation of software on corporate devices is strictly controlled. The researchers demonstrate that in-depth evasion techniques are employed by the malware, such as avoiding calling out to C2 servers if the network connection is through a proxy or a datacenter (which would indicate a device on a corporate network with monitoring, as opposed to a home broadband connection that is unlikely to have monitoring in place). However the research does not go into detail about how analysis of the program’s interaction with the underlying operating system. More advanced systems, such as Windows Defender ATP or other EDR systems can detect suspicious behaviour exhibited by the malicious extensions, such as keyloggers.

Organisations should include the IOCs provided in the Detect section in any logging and analysis systems they have in place. Organisations without more advanced solutions, such as EDR, should review software and extensions installed on their endpoints, and add the listed domains to internal block lists.

ITC’s SIEM and EDR customers can rest assured that we have already integrated these IOCs into our Threat Intelligence platforms, and are actively monitoring for any suspicious behaviour or potentially unwanted programs (PUPs).

[1] https://www.zdnet.com/article/google-removes-106-chrome-extensions-for-collecting-sensitive-user-data/
[2] https://awakesecurity.com/white-papers/the-internets-new-arms-dealers-malicious-domain-registrars