Security firm ICEBRG uncovers 4 malicious Chrome extensions
US-based security firm ICEBRG revealed yesterday that it detected four malicious Google Chrome extensions at the official Chrome Web Store.
The extensions had a combined user count of more than 500,000 users at that time. The company notified Google and authorities about the extensions; Google pulled three of the four extensions from the Store in the meantime.
The extensions in question are Lite Bookmarks**, Stickies - Chrome's Post-it Notes, Change HTTP Request Header and Nyoogle - Custom Logo for Google with Nyoogle still available at the official Web Store at the time of writing.
ICEBRG stumbled upon the malicious extensions during an investigation of a "suspicious spike in outbound traffic from a customer workstation." It identified the Chrome extension Change HTTP Request Header as the culprit and began to analyze the extension's behavior.
While the researchers did not notice other misbehavior by the extension, capabilities were in place to use it for other means.
The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.
The detected extensions use similar methods, but it is unclear if they are operated by the same group. It seems likely considering the similarity of methods used to bypass Google's automated checks of Chrome extension uploads and behavior.
Chrome users should verify on chrome://extensions that none of the extensions are installed. It is recommended that you remove these extensions immediately.
Google's automated system that checks Chrome extensions before they are offered on the Store is severely broken. The last year alone saw a number of incidents where malicious Chrome extensions slipped past Google's detection routines to infect hundreds of thousands of user systems. (via Bleeping Computer)
- Another Chrome extension horror story: coinhive and domain registration
- Chrome has a massive copycat extensions problem
- Chrome extension CopyFish hijacked: remove now!
- Google pulls crypto-mining Chrome extension Archive Poster
- Google pulls Chrome Web Developer extension over ad-injecting
Interesting article Martin. I also looked at the ICEBRG blog and out of curiosity, did a search for one of the ID’s namely “djffibmpaakodnbmcdemmmjmeolcmbae” with IP adress 109.206.161[.]123
One of the results is this one of the Github site: https://github.com/adewes/chrome-extension-behavior-analysis/blob/master/data/extensions.json
It’s dated January 9 so before the ICEBRG blog was written. I don’t know if that means that the user called ‘adewes’ was just analyzing the code, or whether it indicates something else. It also appears here: https://crx.dam.io/pages/6.html for “Goodfon Wallpapers”.
Anybody have any thoughts on the subject?
Forgive me if I am wrong, but I do get the impression that Martin’s articles on Chrome are never quite as popular as those for Firefox? The comments are always fewer, less enthusiastic…..and if this is true, I understand, because I only use Chrome “variants” if I want to fire up Chrome.
Just thinking out loud! Oh, and to me, Chrome still feels like something from about the year 2004….2006 at best.
Your comment is irrelevant & off topic, even if your comment may be true, which represents only your personal impression.