Seattle-based ICEBRG’s Security Research Team discovered four malicious Google Chrome extensions affecting some 500,000 users. These provide a substantial pool of resources to use for fraudulent purposes and financial theft.
While performing a routine investigation of anomalous traffic, ICEBRG’s SRT detected a suspicious spike in outbound network traffic from a customer workstation prompting an investigation leading to the discovery harmful Google Chrome extensions, which could affect workstations within major organizations, including financial institutions, globally.
The ICEBRG research team, Justin Warner, principal security engineer and Mario De Tore, technical director, security research and operations, revealed their findings in a blog. “While these web-based applications can enhance the users overall experience, they also pose a threat to workstation security with the ability to inject and execute arbitrary code.” The SRT asserted to a motivated threat actor, this approach presents a range of opportunities, from co-opting enterprise resources for advertising click-fraud to leveraging a user’s workstation as a foothold into the enterprise network.
Click fraud campaigns allow a malicious party to receive revenue by compelling victim systems to visit advertising sites that pay per click. Threat actors could also use the same capability to browse internal sites of victim networks, bypassing perimeter controls intended to defend internal assets from external parties.
While revenues are not known, a similar botnet, uncovered in 2013, yielded $6 million per month before taken down, ICEBRG said.
In a technical overview, the researchers explained how they discovered unknown traffic to/from a server hosted on a European virtual private server provider originating from a Chrome extension titled “Change HTTP Request Header.” ICEBRG analyzed this extension to comprehend the entire scope of its’ capabilities and identified the cause of the sudden traffic spike. The Change HTTP Request Header extension itself does not contain any overtly malicious code. However, ICEBRG identified items, when combined, enabling the injection and execution of arbitrary JavaScript code via the extension.
By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within “JavaScript Object Notation,” the research explained. “Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the content security policy.” when an extension does enable the “unsafe-eval” permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates the scenario in which the extension author could inject arbitrary JavaScript code.”
During the extension analysis, ICEBRG observed the control server, “change-request[.]info”, returning obfuscated JavaScript to the victim host via the JSON configuration updates. The extension would then evaluate and execute this JavaScript. Once executed, the obfuscated code checks for the existence of native Chrome debugging tools. This is most likely an anti-analysis technique implemented by the developers to evade detection and extend their capabilities. Next, the obfuscated code established a persistent HTTP tunnel out to the control server using WebSockets, which then used the proxy browsing traffic of the threat actor. “During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing,” the SRT team revealed.
ICEBRG determined with high confidence the following extensions are related to the Change HTTP Request Header activity: Nyoogle and Lite Bookmarks use the same combination of TTPs as Change HTTP Request Header to achieve the same objective; and the Stickies extension, which accomplishes its objective by modifying a standard JavaScript library and introducing a JavaScript execution technique inside this library.
“Hygiene of user workstations is a difficult problem to tackle, made even more difficult by the exhaustive number of ways that code can execute through seemingly legitimate applications and plugins,” Warner and De Tore warned. “In this case, the inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a foothold into target networks.”
