Security researcher Bryan Campbell discovered a malicious Chrome extension today that is masquerading as the legitimate MinerBlock extension. The legitimate MinerBlock extension is used to block sites that utilize in-browser cryptocurrency mining, while the newly discovered version causes Chrome to repeatedly play videos in the background without your knowledge.
The Chrome Web Store pages for each extension looks different, with the fake one containing Russian text, but with developers being different. The developer for the legitimate MinerBlock is from CryptoMineDev, while the malicious one is listed as from egopastor2016.
As for the extensions themselves, other than the logo and the version number, both extensions look the same and have the same options interface.
Legitimate MinerBlock Extension
Fake MinerBlock Extension
Functionality is where things change. While the original MinerBlock is designed to block access to known mining sites, the malicious version is used to constantly play videos in the background.
It is not known for sure why the extension is constantly playing videos in the background, but it could be used for click fraud through the display of advertisements or to artificially increase view counts.
When started, the malicious extension will connect to the site egopastor.biz and retrieve a set of "tasks". These tasks will determine what options the extension will use and the URLs it should connect to.
You can see an example of the extension connecting to this site and retrieving its configuration below.
Fiddler showing video playback
The extension will then begin to connect to the specified URL, which at this time causes videos to be played from various Russian video sites. When a video is played, it will cause the CPU utilization to shoot as high as 100% and then drop back down to 0 when the video has finished playing. You can see an example of this CPU utilization while a video plays below.
CPU Utilization
For those who may have this version installed, you can easily remove the extension by right-clicking on its icon and selecting remove.
With it becoming more common for malicious extensions to masquerade as well-known legitimate ones, it is important for all users to be careful when installing extensions. Before installing anything, be sure to read the reviews carefully and make sure the extension you are installing is the correct one.
Fake MinerBlock Extension Repeatedly Playing Videos in the Background
The Chrome Web Store pages for each extension looks different, with the fake one containing Russian text, but with developers being different. The developer for the legitimate MinerBlock is from CryptoMineDev, while the malicious one is listed as from egopastor2016.
As for the extensions themselves, other than the logo and the version number, both extensions look the same and have the same options interface.
Legitimate MinerBlock Extension
Fake MinerBlock Extension
Functionality is where things change. While the original MinerBlock is designed to block access to known mining sites, the malicious version is used to constantly play videos in the background.
It is not known for sure why the extension is constantly playing videos in the background, but it could be used for click fraud through the display of advertisements or to artificially increase view counts.
When started, the malicious extension will connect to the site egopastor.biz and retrieve a set of "tasks". These tasks will determine what options the extension will use and the URLs it should connect to.
You can see an example of the extension connecting to this site and retrieving its configuration below.
Fiddler showing video playback
The extension will then begin to connect to the specified URL, which at this time causes videos to be played from various Russian video sites. When a video is played, it will cause the CPU utilization to shoot as high as 100% and then drop back down to 0 when the video has finished playing. You can see an example of this CPU utilization while a video plays below.
CPU Utilization
For those who may have this version installed, you can easily remove the extension by right-clicking on its icon and selecting remove.
With it becoming more common for malicious extensions to masquerade as well-known legitimate ones, it is important for all users to be careful when installing extensions. Before installing anything, be sure to read the reviews carefully and make sure the extension you are installing is the correct one.
Fake MinerBlock Extension Repeatedly Playing Videos in the Background
