The TROJANIZED COMPONENT: DISSECTING THE BROWSER EXTENSION AND CTI GREAT EFFECTS

dissection

TL;DR

A Trojan horse made of electronic hardware components
A Trojan horse made of electronic hardware components

Supply Chain Attacks Are Not a New Phenomenon !

  • — 2013 Target point of sale (POS) system hack
    — 2017 NotPetya targeted Ukraine via a supply chain
    — Avast’s 2017 CCleaner supply chain attack
https://bugs.chromium.org/p/project-zero/issues/detail?id=1930

Browser-based threats ;

Man in the browser attack

  • Browser Extension,
  • User script
  • Browser Helper Object (BHO).
  • downloads malware infecting workstations.
    2- malicious malware infects the workstation browser.
    3- user access bank website requesting a transaction.
    4- malware records the transaction request and modify it
    5- contents are transferred to the hacker.
    6- The malware changes the transaction receipt to the user requested transaction to remain hidden.

Malicious Browser Extension :

How Malicious Browser Extension get Published in the Store !?

Persistent in the era Malicious Extension

  • Are they any permission required ?
  • What are the external covet channel ? URL , JavaScript

What permissions does it require?

  1. write access to multiple domains including Github, LocalBitcoins, and more.
  2. It requests access to all open tabs and your cookies — these permissions are abused a lot to steal your assets from various exchanges and wallet services.
  • in a sentence, it steals all your secrets depending on the domain per say mostly BTC or creds

From threat intelligence , what did we find ?

  • — The bad actor addresses.
    — Backend servers and domains.
    — Russian code comments

Three main problems with browser extensions ;

Toolkit for Analyzing Browser Plugins

  • Manifest analysis.
  • Internal file hashing.
  • Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
  • Comments extraction from HTML, CSS and JS files.
  • Cryptojacking detection engine based on known mining domains and expressions.
  • Suspicious JavaScript code detection such as eval().
  • Certificate analysis if provided.
  • Batch analysis of previously downloaded extensions.

Dissecting Browser Extensions from Archive to Source Code ;

Manifest analysis

  • Every extension has a Field summary called Manifest.json which describe the function and basic info about the usage of browser extension
  • Crawling around files to find indicator of compromise or malicious URL used by threat actor for command and control

The progression of Malicious Code Delivery

GitHub Repository : https://github.com/AliBawazeEer/Malicious_Extension

Three Web Attack Vectors Target the Browser

  • The attack can incorporate an element of social engineering to persuade the victim to take an action that compromises security.
  • The attacker can use the browser as a gateway for attacking web applications via techniques such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking.
  • The attacker can exploit a vulnerability in the web browser or in local software add-in

Trends and Lessons for Fighting Malicious Extensions

  • Chrome now automatically blocks all extensions not present in the store from installation unless the following flag is set –enable-easy-off-store-extension-install
  • Best Prevention is Safe Browsing ; Following are the few steps which can help us in safe browsing:
  • Install extensions only from official Web stores. Users should avoid extension installing by clicking on any links or downloading any files they receive via email unless they are absolutely certain that the sender is legitimate.
  • Limit on extensions installation. More browser extension can actually degrade computer performance and also open door for harmful activities to outside world.
  • Review the permissions carefully that the extensions ask for running. Do think twice before installing the extension or granting any permission post installation. If you see any inconsistency between required permissions and the functionality, should raise a flag and better not to install that extension.
  • new permission if there is a change in the extension,
  • Inspect Network Activity In Chrome DevTools. Any network traffic with an unusual URL is probably malicious. Also, avoid the extensions that communicates non-https URLs.
  • explore the virulent impact of malicious extensions.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store