Security firm ICEBRG uncovers 4 malicious Chrome extensions

Martin Brinkmann
Jan 16, 2018
Google Chrome
|
3

US-based security firm ICEBRG revealed yesterday that it detected four malicious Google Chrome extensions at the official Chrome Web Store.

The extensions had a combined user count of more than 500,000 users at that time. The company notified Google and authorities about the extensions; Google pulled three of the four extensions from the Store in the meantime.

The extensions in question are Lite Bookmarks**, Stickies - Chrome's Post-it Notes, Change HTTP Request Header and Nyoogle - Custom Logo for Google with Nyoogle still available at the official Web Store at the time of writing.

chrome extension malicious

ICEBRG stumbled upon the malicious extensions during an investigation of a "suspicious spike in outbound traffic from a customer workstation." It identified the Chrome extension Change HTTP Request Header as the culprit and began to analyze the extension's behavior.

The company notes in a blog post that the extension itself was clean of malicious code but set up for JavaScript code injection. The technicalities are described in detail on the ICEBRG blog.

The author of the extension could inject and execute arbitrary JavaScript code. The security researchers noticed that obfuscated JavaScript code was retrieved from a control server to user systems with the extension. According to ICEBRG, the threat actor used this for "visiting advertising related domains"; a strong indicator for a click fraud campaign.

While the researchers did not notice other misbehavior by the extension, capabilities were in place to use it for other means.

The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.

The detected extensions use similar methods, but it is unclear if they are operated by the same group. It seems likely considering the similarity of methods used to bypass Google's automated checks of Chrome extension uploads and behavior.

Chrome users should verify on chrome://extensions that none of the extensions are installed. It is recommended that you remove these extensions immediately.

Closing Words

Google's automated system that checks Chrome extensions before they are offered on the Store is severely broken. The last year alone saw a number of incidents where malicious Chrome extensions slipped past Google's detection routines to infect hundreds of thousands of user systems. (via Bleeping Computer)

Related articles

Summary
Security firm ICEBRG uncovers 4 malicious Chrome extensions
Article Name
Security firm ICEBRG uncovers 4 malicious Chrome extensions
Description
US-based security firm ICEBRG revealed yesterday that it detected four malicious Google Chrome extensions at the official Chrome Web Store.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Sophie said on January 16, 2018 at 7:10 pm
    Reply

    Forgive me if I am wrong, but I do get the impression that Martin’s articles on Chrome are never quite as popular as those for Firefox? The comments are always fewer, less enthusiastic…..and if this is true, I understand, because I only use Chrome “variants” if I want to fire up Chrome.

    Just thinking out loud! Oh, and to me, Chrome still feels like something from about the year 2004….2006 at best.

    1. Klaas Vaak said on January 17, 2018 at 6:57 am
      Reply

      Your comment is irrelevant & off topic, even if your comment may be true, which represents only your personal impression.

  2. TelV said on January 16, 2018 at 4:25 pm
    Reply

    Interesting article Martin. I also looked at the ICEBRG blog and out of curiosity, did a search for one of the ID’s namely “djffibmpaakodnbmcdemmmjmeolcmbae” with IP adress 109.206.161[.]123

    One of the results is this one of the Github site: https://github.com/adewes/chrome-extension-behavior-analysis/blob/master/data/extensions.json

    It’s dated January 9 so before the ICEBRG blog was written. I don’t know if that means that the user called ‘adewes’ was just analyzing the code, or whether it indicates something else. It also appears here: https://crx.dam.io/pages/6.html for “Goodfon Wallpapers”.

    Anybody have any thoughts on the subject?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.