Fake Evernote extension injects ads into webpages

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
fake_evernote_chrome_store_story.jpg


Visiting the Evernote plugin page, Chrome does not recognize that it is third-party malware and believes that it is the officially installed extension.

Posing as a real and user-installed add-on, malware hides itself within a Chrome extension that poses as the popular note-taking app Evernote. Unfortunately for the victims, it is far from being a legitimate extension. Security firm Malwarebytes reports that the extension is actually malware-- an executable titled evernote.exe-- that the victim would have had to have accidently opened. After it has been executed, the malware installs a fake Evernote extension into Chrome which then begins serving the victim ads on all the webpages they visit.

It isn't just a matter of an extension appearing to look like another-- Chrome actually believes that the plug-in is the legitimate Evernote extension. By clicking "visit website," the user is taken to the official Evernote webpage. There, it does not ask the user to install the app-- again, it believes that the app is already installed, and instead offers the option to launch it.

On the outset, the way the ads are positioned it makes it seem like the ads are coming from the websites themselves, which makes it more difficult for the victim to identify that they have been infected with the adware. This sort of malware also goes to show that users shouldn't trust digitally signed files solely because they're digitally signed-- it doesn't make them anymore legitimate than any other executable:

"A quick look shows the PUP is digitally signed by “Open Source Developer, Sergei Ivanovich Drozdov”, although the certificate has since been revoked by the issuer. This serves as another reminder that you can’t always trust a program just because it’s digitally signed" - Joshua Cannell, security researcher at Malwarebytes

evernote_story.jpg


The Chrome extensions window shows that the malware looks and acts (at least on the base level) like any normal extension.

Fortunately, as Malwarebytes reports, the removal of the extension isn't a complicated matter-- it is born like an extension, and it dies like one. All a user would have to do to remove it is to visit the Chrome extensions page (type about:extensions in the omnibar) and click on the garbage can icon next to the Evernote extension. The user would then have to confirm the removal, and once confirmed, Chrome would do the rest.

Source: Malwarebytes via The Inquirer | Images via Malwarebytes
 

Petrovic

Level 64
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
A potentially unwanted program (PUP) installs a fake Evernote that bypasses the security measures available in Chrome web browser, and starts spewing ads at the user.

The name of the extension, Evernote Web, as well as its ID, is identical with that of the real component. Moreover, it directs the user to the legitimate entry in the Chrome Web Store when clicking on the “Visit website” button. All these elements make Google Chrome believe that the real extension is installed.

Security researchers from Malwarebytes have analyzed this browser component, and found that it is digitally signed by, “Open Source Developer, Sergei Ivanovich Drozdov,” with a certificate that has been revoked by the issuer.

“This serves as another reminder that you can’t always trust a program just because it’s digitally signed,” says Joshua Cannell of Malwarebytes.

The action taken by the fake extension consists in running a content script in the context of a web page visited by the user. This results in advertisements being displayed, all leading to other unwanted programs that are probably delivering malware, and offers.

Getting rid of the rogue extension is not a complicated task. Cannell says that removing it from the Chrome extension page does the trick.
 
  • Like
Reactions: Chromatinfish 123
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top