Awake Security Company about identifying to Google Chrome, sending confidential user data to external servers. Including add-ons had access to creating screenshots, reading the contents of the clipboard, analyzing the presence of access tokens in Cookies and intercepting input in web forms. In total, the detected malicious add-ons totaled 32.9 million downloads in the Chrome Web Store, and the most popular (Search Manager) was downloaded 10 million times and includes 22 reviews.
It is assumed that all the considered add-ons were prepared by one team of attackers, since in all a typical scheme for the distribution and organization of the capture of confidential data, as well as common design elements and repetitive code. with malicious code were placed in the Chrome Store catalog and have already been removed after notification of malicious activity was sent. Many malicious add-ons copied the functionality of various popular add-ons, including those aimed at providing additional browser protection, improving search privacy, PDF conversion and format conversion.
Add-on developers first posted a clean version without malicious code to the Chrome Store, went through a review, and then added changes in one of the updates that loaded the malicious code after installation. To hide traces of malicious activity, the technique of selective responses was also used - at the first request, a malicious download was issued, and at subsequent requests, unsuspicious data was given.
Promotion of professional-looking sites (as in the picture below) and placement in the Chrome Web Store, bypassing verification mechanisms for subsequent code downloads from external sites, have been identified as the main ways of spreading malicious add-ons. To circumvent restrictions on installing add-ons only from the Chrome Web Store, the attackers distributed individual builds of Chromium with pre-installed add-ons, and also installed through advertising applications (Adware) already present in the system. The researchers analyzed 100 networks of financial, media, medical, pharmaceutical, oil and gas and trading companies, as well as educational and government institutions, and in almost all of them revealed traces of the malicious add-ons in question.
Over the course of the malware campaign, more than , intersecting with popular sites (for example, gmaille.com, youtubeunblocked.net, etc.) or registered after the expiration of the renewal period for previously existing domains. These domains were also used in the malware control infrastructure and to download malicious JavaScript inserts that are executed in the context of the pages the user opens.
The researchers suspected collusion with the Galcomm domain registrar, in which 15 domains were registered for malicious actions (60% of all domains issued by this registrar), but representatives of Galcomm these assumptions and indicated that 25% of the listed domains have already been deleted or issued not by Galcomm, and the rest are almost all inactive parked domains. Galcomm representatives also said that prior to the public disclosure of the report, no one contacted them, and they received a list of domains used for malicious purposes from a third party and are now conducting their analysis on them.
The researchers who identified the problem compare malicious add-ons with a new rootkit - the main activity of many users is carried out through a browser through which access is made to joint document storages, corporate information systems and financial services. In such conditions, it makes no sense for attackers to look for ways to completely compromise the operating system in order to install a full-fledged rootkit - it is much easier to install a malicious browser add-on and control confidential data flows through it. In addition to controlling transit data, the add-on can request permissions to access local data, webcam, location. As practice shows, most users do not pay attention to the requested permissions, and 80% of the 1000 popular add-ons request access to the data of all processed pages.
Source: opennet.ru