Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner

[LASER_oneXM]

A Chrome extension with over 105,000 users has been deploying an in-browser cryptocurrency miner to unsuspecting users for the past few weeks.

The extension does not ask for user permission before hijacking their CPUs to mine Monero all the time the Chrome browser is open.

Named "Archive Poster," the extension is advertised as a mod for Tumblr that allows users an easier way to "reblog, queue, draft, and like posts right from another blog's archive."

According to users reviews, around the start of December the extension has incorporated the infamous Coinhive in-browser miner in its source code.

Troy Mursch, a US-based security researcher who's been keeping a close eye on the cryptojacking scene, alerted Bleeping Computer of this threat today.

According to Mursch, the Coinhive cryptojacking code is hidden in a JavaScript file loaded from the following URL:

https://c7e935.netlify[.]com/b.js

Another case of a hijacked extensions? or is it intentional?

Over the spring and summer, Chrome extension developers have been under a barrage of phishing attacks. Miscreants were trying to take over extensions, adding adware code and pushing a tainted update to the extension's userbase when successful.


Some of these phishing attacks were successful, and several cases were reported when high-profile extensions with large userbases were hijacked to push adware [1, 2, 3].


The company behind Archive Poster does not have a contact method listed on its website, so Bleeping Computer wasn't able to confirm this was intentional or another case of a hijacked extension.

 

[ForgottenSeer 58943]

Thanks.

I submitted to Fortinet Labs TAC, already classified in just a few minutes.

Submission Date: Fri, 29 Dec 2017 07:28:39 -0800
URL: Censored
Updated Category: Malicious Websites
Update Date: Fri, 29 Dec 2017 08:01:17 -0800

 

[Tsiehshi]

The Archive Poster extension has been shipping the hidden Coinhive cryptojacker for at least four versions —from 4.4.3.994 to 4.4.3.998.

It actually seems to date back at least to the 4.4.3.93 version (Dec 8th according to the last modification date of verified_contents.json).

PS. A Chrome Webstore reviewer said he used to love it until it was updated on 12/7/2017. That's not a contradiction as the extension archive isn't updated every day (probably wasn't updated on the 7th).

PPS. At 9:34 PM, it got updated to 4.4.4.0 (damn the hackers are fast). And they'll approve it again and again.

+ 11:30 PM: 4.4.4.01. Once 2 hours or what?

PPPS. Here's a more detailed version history, which means it started with 4.4.3.91.

PPPPS. Finally taken down. Good riddance.