Story image

Fake Chrome extensions inject code into web pages

02 May 17

Recently, here at our research lab, we have seen an increase in the number of JS/Chromex.Submelius threats detected. In countries like Colombia, Peru, Ecuador and Chile, the detection levels for this particular threat have been as high as 30% or 40% of the total threats for the entire country.

This is a trojan that redirects the user’s browser to a specific URL, which contains another kind of malicious content. Given the high detection levels for this threat, which primarily targets Chrome, currently one of the most popular web browsers, we set out to find out how the threat is being propagated and how a user might fall into its trap.

Watch whatever you want … but get infected at the same time

We found one example of how this threat is being propagated on a popular website for watching movies online. In one of the options for watching the content, when the user decides they want to start playing a movie, an additional window opens in the browser:

Anyone who has ever visited this kind of website will find nothing particularly unusual about this, as new windows often pop up saying things like “a virus has been detected” or “earn money by working from home”. In this case though, the browser does not redirect to another page with an ad as usual, but goes to a website which then asks you to go to another URL … and the message won’t stop appearing until you click “Accept”.

This new redirection points to a download of an extension from the Chrome web store. The following screenshot shows what the browser’s address bar looks like before the extension is installed:

f the user accepts the download, a space appears next to the address bar with the extension icon, and, if you click on it, it takes you to a new page within the Chrome web store for a different extension. In this case, as you can see in the following screenshot, there are some recent comments saying the app is useless:

If the movie has started playing by this point, the user’s browser will have been infected. If we go and look at what extensions are installed in the browser, we find the one that was downloaded first, and we see that its permissions include reading and changing all your data on the websites that you visit. This leaves an open window so that when the user visits any website some code is injected into it:

Then, while the user is browsing the internet, they will suddenly see new windows opening up with information about their system, taking them to other websites containing downloads of malicious code, advertising, or other kinds of content. This becomes an endless loop, which ultimately will benefit whoever is behind the fraudulent extension.

What can you do if you have downloaded the extension?

If you have downloaded this malicious extension you should remove it immediately from your Chrome browser. To do so, you can type “chrome://extensions” in the address bar and then, when you find the extension, simply delete it.

As a further precaution, you should also analyze your computer or device using a trustworthy security solution to rule out the possibility of having downloaded any other kind of threat to your machine.

As always, it is very important to be careful before clicking on anything and pay close attention to all websites you visit, especially if they ask you to download extensions. We have already seen other campaigns associated with YouTube, Facebook, and other websites that have worked in similar ways.

So, we can see that this kind of campaign is by no means an isolated case. In fact, there is a whole structure of redirection, which we will look at in more technical detail in a future article.

Article by Camilo Gutiérrez Amaya, head of Awareness and Research, ESET.

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.
Don’t let your network outgrow your IT team
"IT professionals spend less than half of their time at work optimising their networks and beefing it up against future security threats."
Three access management trends making waves in APAC
Consumer identity proofing, authentication, and authorisation will top the $37 billion value mark by 2023.