Awake Security Company
It is assumed that all the considered add-ons were prepared by one team of attackers, since in all
Add-on developers first posted a clean version without malicious code to the Chrome Store, went through a review, and then added changes in one of the updates that loaded the malicious code after installation. To hide traces of malicious activity, the technique of selective responses was also used - at the first request, a malicious download was issued, and at subsequent requests, unsuspicious data was given.
Promotion of professional-looking sites (as in the picture below) and placement in the Chrome Web Store, bypassing verification mechanisms for subsequent code downloads from external sites, have been identified as the main ways of spreading malicious add-ons. To circumvent restrictions on installing add-ons only from the Chrome Web Store, the attackers distributed individual builds of Chromium with pre-installed add-ons, and also installed through advertising applications (Adware) already present in the system. The researchers analyzed 100 networks of financial, media, medical, pharmaceutical, oil and gas and trading companies, as well as educational and government institutions, and in almost all of them revealed traces of the malicious add-ons in question.
Over the course of the malware campaign, more than
The researchers suspected collusion with the Galcomm domain registrar, in which 15 domains were registered for malicious actions (60% of all domains issued by this registrar), but representatives of Galcomm
The researchers who identified the problem compare malicious add-ons with a new rootkit - the main activity of many users is carried out through a browser through which access is made to joint document storages, corporate information systems and financial services. In such conditions, it makes no sense for attackers to look for ways to completely compromise the operating system in order to install a full-fledged rootkit - it is much easier to install a malicious browser add-on and control confidential data flows through it. In addition to controlling transit data, the add-on can request permissions to access local data, webcam, location. As practice shows, most users do not pay attention to the requested permissions, and 80% of the 1000 popular add-ons request access to the data of all processed pages.
Source: opennet.ru