Prorootect

Level 53
Verified
Google removes four Chrome Web Extensions for injecting malicious codes: Google removes four Chrome Extensions for injecting malicious codes
Nyoogle, Lite Bookmarks, Stickies, Change HTTP Request Header rogue extensions
The affected rogue extension list includes Change HTTP Request Header, Nyoogle-Custom Logo for Google, Lite Bookmarks and Stickies- Chrome’s Post-it Notes.

The total number of users who were actively using the extension is pegged at more than 500,000 and the ICEBRG security firm has already noted this and informed the National Cyber Security Centre of the Netherlands (NCSC-NL), Google Safe Browsing Operations Team and the United States Computer Emergency Readiness Team (US-CERT.)

At this point, all the four extensions are removed from the Chrome Web Store with Nyoogle being the last. That being said just because Google has removed the extension from the web store doesn’t mean that the extension ceases to exist. If you had downloaded any of the above-mentioned Chrome browser extensions simply uninstall and clean their systems. At this juncture it is still unclear if the same group was behind all the rogue extensions. However, ICEBRG has said that the four extensions employed similar techniques and procedures.
This entire incident also highlights the problem of maintaining workstation hygiene.....


My comment - This is a joke, this Google's move, taking into consideration the huge number of extensions to remove urgently... see my posts above, please...
 

Prorootect

Level 53
Verified
Some read for you:

Malware in the browser: how you might get hacked by a Chrome extension: on kjaer.io: Malware in the browser: how you might get hacked by a Chrome extension
...
It seems like most people are unaware of how big of an attack vector browser extensions have become. They’re still quite unregulated territory, and although there are inherent limits to what they can do, there exists little to no protection against extension malware — your antivirus can’t help you here.
In this post, I’ll share what I have found by investigating one such malware extension that a friend of mine was infected by. I’ve hesitated a lot about publishing all of the code, but have finally decided against it; I would never want to help propagate malware. However, I still want to show how this malware functions, so I’ll be posting extracts of the code in this post. I’ve taken the liberty to remove some lines that were irrelevant to the point I was making, but everything else is really as I have found it.
Discovery
On my Facebook news feed, I had noticed that one of my friends was regularly liking some weird, lewd, clickbaity links. Now clickbait content is far from uncommon on Facebook, but something was off in this case. I had noticed a pattern: it was always the same friend who would Like the same type of links. They would always have around 900 Likes and no comments, while the page behind them has about 30 Likes. Even weirder: every single post on that page is posted 25 times.

...

Malware in the browser: how you might get hacked by a Chrome extension : 59 comments: on Hacker News news.ycombinator.com: Malware in the browser: how you might get hacked by a Chrome extension | Hacker News

Chrome Extensions – AKA Total Absence of Privacy...: on reddit.com: Chrome Extensions – AKA Total Absence of Privacy. Popular G • r/programming


Try yourself, just by googling: site:chrome.google.com “In order to continuously improve and maintain this software we work with” will show some of the extensions using one of the tracking providers out there.
But then your extensions will let them know you're onto them!
 

Prorootect

Level 53
Verified
First Malicious Chrome Extensions Detected Using Session Replay Scripts
First Malicious Chrome Extensions Detected Using Session Replay Scripts

- with link to bleepingcomputer.com/news/:

First Malicious Chrome Extensions Detected Using Session Replay Scripts
First Malicious Chrome Extensions Detected Using Session Replay Scripts


- then another MT topic:

PSA: Beware of Sites Pretending to be Manual Firefox Updates
PSA: Beware of Sites Pretending to be Manual Firefox Updates

- with another link to bleepingcomputer.com/news/:

PSA: Beware of Sites Pretending to be Manual Firefox Updates
PSA: Beware of Sites Pretending to be Manual Firefox Updates


Thank you!
 
Last edited:
D

Deleted member 65228

Google oh oh what a mess.
It really is a mess.

The worst bit is that while they are bragging about having stopped over 99% of malicious applications on the Google Play market, another several hundred rogue browser extensions get approved for the Chrome Store. LOL.

It's really ridiculous, far from a safe environment IMO. More like the "go-to" place for an average Joe to get an unwanted rogue browser extension. Why use online malware sources or waste time specifically hunting when you can just open the Chrome Web Store? :cool::ROFLMAO:
 

TairikuOkami

Level 23
Verified
Content Creator
They have blocked unofficial extensions to prevent malware, at least that was the presentation, but in reality, malware authors pay to get their extensions released, Google will, it lets them out there for while, then removes them, then let them to be added again, the same code, so it can be easily detected, if they wanted too. :X3:
 

Prorootect

Level 53
Verified
MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES
icebrg.io: Streaming Network Forensics™ for Real-Time Threat Detection and Response | ICEBRG | Streaming Network Forensics™
By: ICEBRG SRT, Justin Warner, Contributor: Mario De Tore
...
This blog will cover the technical details of our discovery as a means to inform organizations of the threat malicious Chrome extensions pose.

Prior to publishing this blog post, ICEBRG notified relevant parties to coordinate responses, including the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), the Google Safe Browsing Operations team, and ICEBRG customers that were directly impacted by this malware.

Note: Removal of the malicious extension from the Chrome Web Store may not remove it from impacted hosts. Additionally, the use of third-party Chrome extension repositories may still allow the installation of the extensions.

DETECTION AND IDENTIFICATION
While reviewing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG’s Security Research Team (SRT) utilized the targeted packet capture capability of the ICEBRG platform to collect traffic destined to the external IP, 109.206.161[.]14.Analysis of this traffic identified HTTP traffic to the domain ‘change-request[.]info’ from a suspicious Chrome extension with ID ‘ppmibgfeefcglejjlpeihfdimbkfbbnm’ (Figure 1) as the cause of the observed traffic spike. This extension ID correlated to an extension named Change HTTP Request Header available via Google’s Chrome Web Store (Figure 2).


Figure 1: Benign Chrome extension configuration update (before removal from Chrome Store)


Figure 2: Change HTTP Request Header in Chrome Web Store
TECHNICAL OVERVIEW
The Change HTTP Request Header extension itself does not contain any overtly malicious code. However, ICEBRG identified two items of concern that, when combined, enable the injection and execution of arbitrary JavaScript code via the extension....
...read MORE on the website...
 

Prorootect

Level 53
Verified
... so NEW defender for your Chrome: Extension Police

On Chrome Web Store: Extension Police
offered by extensionpolice.com
Version: 0.1.0
Updated: January 31, 2018
Size: 91.17KiB

- Look on new MT topic about, here: Extension Police

____________________________________

.. but for now: 10 users, and "Offers in-app purchases" - it's legitimate and safe I hope, I don't have installed it for now... what do you think about, please
 
Last edited:
  • Like
Reactions: FreddyFreeloader

Prorootect

Level 53
Verified
This Anti Miner is very suspicious, beware!...Look on user reviews - all fake!
And you have more like this on web store, with this same user reviews style... like:
Anti Miner
Page Ruler
Currency Converter
Dark YouTube Theme - Black YouTube &
...

- so I repeat, Chrome Web Store is a mined swamp!
 
  • Like
Reactions: FreddyFreeloader

Prorootect

Level 53
Verified
Malicious Chrome extension meddling with your searches
blog.0day.rocks/: Malicious Chrome extension meddling with your searches
by x0rz
Security Researcher

While googling for some random stuff, I came across a webpage that seemed very toxic and tried to force me into downloading some shady browser extension....
...
Malicious extension at chrome.google[.]com/webstore/detail/opurie/mcgibaolmjnmcmfofkfbacdmnejmdomn (copy here [unlinked!], password = infected)

Fraudulent network
startupfraction[.]com
search.feedvertizus[.]com
go.querymo[.]com
opurie[.]com


... read MORE at the website...

blog.0day.rocks/: Just another infosec blog type of thing
 

Prorootect

Level 53
Verified
About my post #69..
these extensions from my post #69 above are not suspicious probably, I think today...sorry!
I see now, that all user comments on the chrome web store are from plus.google.com...
So they are safe probably:
Anti Miner
Page Ruler
Currency Converter
Dark YouTube Theme - Black YouTube &
 

upnorth

Level 34
Verified
Trusted
Content Creator
About my post #69..
these extensions from my post #69 above are not suspicious probably, I think today...sorry!
I see now, that all user comments on the chrome web store are from plus.google.com...
So they are safe probably:
Anti Miner
Page Ruler
Currency Converter
Dark YouTube Theme - Black YouTube &
One is not just suspicious but genuine malicious if you read the latest comments and follow the supplied urls. Page Ruler! The policy url points to someone else site and another software so that's also a red flag IMO.

The other ones are probably ok but Currency Converter don't seams to get any new updates as the latest is from 26 april 2017.
 
D

Deleted member 65228

They have blocked unofficial extensions to prevent malware, at least that was the presentation, but in reality, malware authors pay to get their extensions released, Google will, it lets them out there for while, then removes them, then let them to be added again, the same code, so it can be easily detected, if they wanted too. :X3:
Google don't allow malicious extensions intentionally and it isn't as simple as you say to detect malicious extensions being re-uploaded, even if they've been seen before. Malware authors can make some adaptations to the source code or apply different obfuscation techniques (automatically even with local/online tools) to surpass detection, even if the end-functionality is the same as in a previously removed extension.

Combined with duplicate accounts registered on different IP addresses with a refreshed browser agent, and potentially uploading dummy genuine extensions beforehand, it's sufficient enough to make it an awful lot trickier given how many requests they likely get on a regular basis.

They can improve by setting up a moderation period for a few months; new extensions will greet the user with a bonus warning notifying them before the installation that the extension is still under a moderation period for X amount of time, along with letting them know if the overall current feedback for the extension reviews is negative. The moderation period should be able to be skipped for reputable individuals/companies who are well-known (e.g. a security researcher from a cyber-security vendor) given that their identity can be successfully verified.
 
Last edited by a moderator:

Faybert

Level 22
Verified
Malware Hunter
Google don't allow malicious extensions intentionally and it isn't as simple as you say to detect malicious extensions being re-uploaded, even if they've been seen before. Malware authors can make some adaptations to the source code or apply different obfuscation techniques (automatically even with local/online tools) to surpass detection, even if the end-functionality is the same as in a previously removed extension.

Combined with duplicate accounts registered on different IP addresses with a refreshed browser agent, and potentially uploading dummy genuine extensions beforehand, it's sufficient enough to make it an awful lot trickier given how many requests they likely get on a regular basis.

They can improve by setting up a moderation period for a few months; new extensions will greet the user with a bonus warning notifying them before the installation that the extension is still under a moderation period for X amount of time, along with letting them know if the overall current feedback for the extension reviews is negative. The moderation period should be able to be skipped for reputable individuals/companies who are well-known (e.g. a security researcher from a cyber-security vendor) given that their identity can be successfully verified.
Of course Google does not allow malicious extensions, the problem is that its "smart" system to detect dangerous extensions is flawed, in 2017 was removed from the Play Store 700,000 malicious apps, with most of them being discovered after a long time, now imagine how many users were not infected until the day of removal.
 
D

Deleted member 65228

Of course Google does not allow malicious extensions, the problem is that its "smart" system to detect dangerous extensions is flawed, in 2017 was removed from the Play Store 700,000 malicious apps, with most of them being discovered after a long time, now imagine how many users were not infected until the day of removal.
I agree with you, their scanning systems are not as good as they make them out to be and there are many rogue extensions on the Google Play Store, it's not friendly at all.

Safe environment? More like the modern-UI version of malc0de DB for malicious browser extensions. :ROFLMAO:
 

Prorootect

Level 53
Verified
MOTTO:
Opcode write: Safe environment? More like the modern-UI version of malc0de DB for malicious browser extensions. :ROFLMAO:

Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet
blog.trendmicro.com: Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet - TrendLabs Security Intelligence Blog
Posted on:February 1, 2018 at 5:00 am
The Trend Micro Cyber Safety Solutions team has discovered a new botnet delivered via Chrome extensions that affect hundreds of thousands of users. (The malicious extension is detected as BREX_DCBOT.A.) This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate session replay libraries to violate the user’s privacy. These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things. Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild.
The attacker gets the user to install these malicious Chrome extensions via a mix of malvertising and social engineering. A total of 89 Droidclub extensions have been found on the official Chrome web store. Based on the pages of these extensions, we estimate that up to 423,992 users have been affected. Google has since removed these extensions from the official Chrome web store; in addition, the C&C servers have been removed from Cloudflare as well.
The diagram below shows the overall behavior of Droidclub:

Figure 1. Droidclub Infection Flow

Distribution

Droidclub is distributed via a combination of malvertising and social engineering. Malicious ads would be used to display false error messages asking users to download an extension onto their browser:

Figure 2. False Error Messages Used To Install Droidclub Extension

If people click OK here, the Chrome browser will download the extension from the normal Chrome web store in the background. It then asks the user if they want to go ahead and install the extension, while listing the required privileges of the extension.
The extension, once installed, checks if the C&C server is online, downloads any needed configuration code, and reports back to the C&C server. This process is repeated every five minutes.
The extensions themselves are designed to appear innocent, if slightly nonsensical.

Figure 3. Example of Droidclub Extension

Malicious Behavior

A browser infected with Droidclub will periodically pop up a new tab displaying web advertising. The URL and the frequency are both sent as part of the configuration information from the C&C server. Currently, this malware is being used to display low-quality advertising (such as those for pornographic sites) and/or exploit kits. The attacker behind Droidclub may be using this botnet to artificially raise the impressions of certain ads, resulting in increased views and revenue.
...
Droidclub can also modify the contents of viewed websites. The extension is currently injecting various pieces of Javascript code, one of which modifies these pages by adding external links to certain keywords. These links go to ads as well. Ads within the original site are also replaced with ads chosen by the attacker; the code does it by searching for IFRAME sizes that match those used in advertisements.

Figure 5. Injected malicious scripts

A Javascript library from Yandex Metrica is also injected into visited websites on the victim’s browser (the original website is not modified). This is a legitimate web analytics library that a site owner can use to evaluate how visitors are using their site. This library enables a feature called session replay, which can record various user actions like mouse clicks, scrolling, and keystrokes.
Unfortunately, in the hands of an attacker, this tool can be abused and represents a very powerful tool that can breach the user’s privacy. The combination of the extension and the library can steal data entered into forms such as names, credit card numbers, CVV numbers, email addresses, and phone numbers. The library does not capture passwords by design, so these are not stolen by the threat actors. The video below shows the information that the library can acquire. We replaced the Yandex account used by the attackers with our own during testing.
...
In the course of our research, we found that a previous version of Droidclub was still active in the wild. While it communicated to the same set of C&C servers, the implementation and C&C command format differed. Based on the dates of upload to the Chrome web store, these represented an earlier version created in April 2017 (the others were created in November 2017).
This older version primarily differed with the addition of cryptocurrency mining. These versions also injected Coinhive cryptocurrency mining code onto visited websites, turning the browser into a Monero miner. While the current version does not have the code injection, the Coinhive code remains functional and could be re-inserted in the future.

Figure 7. Earlier version of Droidclub with Coinhive code
... ...

Indicators of Compromise:
A separate annex containing a list of the various Droidclub extensions, as well as the domains used, is available for download here.
- this annex is very interesting: Appendix: Malicious Chrome Extensions Found in Chrome Web Store, Form Droidclub Botnet

From annex:
Examples of Extension Name:
Italian Pasta Salad, DIY Cleaning Wipes, Homemade Dole Whip, Swirled Pumpkin Cheesecake, Peach Sangria, School Notebooks, Ironing Board Cover, Chocolate Peanut Butter etc... etc...

Examples of Domains Used by Droidclub:
Malvertising Domain (First Stage): srv432.host, srv993.club, domain232.club, track103.host, onclick392.club, pxl058trk.top, srv230bid.site ...
Malvertising Domain (Second Stage): fahr.me, faur.me, galv.me, genk.me, genl.me, gibe.me, gwyn.me, hond.me etc...


...read MORE at the website...
An avalanche of fake malicious extensions on Chrome Web Store!
I'm sure there are more fake than safe chrome extensions...
more fake than safe
 
Last edited:

Slyguy

Level 42
Verified
I wonder how much of this is driven by the fact that Chrome is pretty secure, but ChromeBooks are exceptionally secure and increasing in popularity by a huge amount, this closing off all vectors of attack BUT this? So yeah, it makes since they'd go after this vector.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Again: the obvious clous:

1. Uses a name which resembles a known anti virus Mr Web instead of Dr Web
2.No link to developer "Applicationlove7" (or it just links to the extension itself)
3. User review tells what this extension does - redirect to who knows what

1525199594521.png