AliBawazeEer
13 min readFeb 20, 2021

The TROJANIZED COMPONENT: DISSECTING THE BROWSER EXTENSION AND CTI GREAT EFFECTS

dissection

Without question, 2020 was defined by the global coronavirus pandemic (GCP). So to speak Not only has the virus had huge public health consequences, social distancing and lockdown measures also have had profound economic impacts. On the other hand Cybercriminals and APT taking advantages of the situation, surprisingly they are targeting org and security researcher due to the wide spread of work from home and BYOD.

Lessons will be learned over the coming months and years by governments and businesses. Thus, its unique 360-degree view of the business and risk-control mindset can help organizations identify their blind spots and opportunities to improve their security operations. .

Unlike previous years, the unprecedented circumstances of the threat landscape and recent, the biggest global risk event in recent memory, have undoubtedly shaped the outlook for 2021. However, APT itself is not a principal risk.

Rather than posing new threats, the novel Supply chain attacks has exacerbated existing risks, putting them in a new light and forcing organizations to think about them from different angles or assign to them new levels of priority. Moreover, The incident highlights the severe impact software supply chain attacks can have and the unfortunate fact that most organizations are woefully unprepared to prevent and detect such threats. A case in point, cyber and data security is a perennial front-of-mind risk for board members, Audit Committee Chairs and CAEs. Widespread homeworking has meant that cybersecurity has taken on a new dimension, diving into details shall outlasts the rest of the report about browser plugin /extension threat and its benign use

comparatively, The lesson learnt today is how to adapt remote working culture in corporates and remain proactive in threat landscape while mobile devices continue to proliferate.

TL;DR

Browsers play a huge role in many businesses, but they’re also a main entry point for cyber-attacks. And As the World Wide Web matures into a ubiquitous computing platform, people are growing comfortable with sharing their personal information with web applications they trust. However, this casual sharing of information is accompanied by serious privacy and security implications.
We will walk through a use case and technical details of how in recent times browsers have been abused for malicious tasks such as private information gathering, browsing history retrieval, or password theft — leading to a number of devastating attacks. Nevertheless , the research shall find out how you can protect your enterprise from browser-based attacks and some advise of safe browsing .

A Trojan horse made of electronic hardware components
A Trojan horse made of electronic hardware components

Unfortunately, whenever there is a discovery of a massive data breach there is an immediate and predictable knee-jerk reaction trend that occurs both in private industry and in the government. It is unfortunate because it is indicative of a scrambling, unprepared reactive response rather than a successful proactive cybersecurity approach. Alert notifications renew focus on whatever particular attack vector was exploited. Respectively kill chain approach

The most recent cyberattack example was no different. It was a classic supply chain cyberattack involving the SolarWinds security product vendor that just happens to have over 300,000 customers around the world. But then again, one wonders how many organizations were truly taking the threat of supply chain attack seriously? The answer may surprise you

Supply Chain Attacks Are Not a New Phenomenon !

Notwithstanding, per say surely a plethora of undiscovered bugs in software code among others. Some example of supply chain attack for those who are new to cybersecurity

  • — 2013 Target point of sale (POS) system hack
    — 2017 NotPetya targeted Ukraine via a supply chain
    — Avast’s 2017 CCleaner supply chain attack

Its worth noting from attacker perspective the following question , Why go in the front door when you can sneak in through the side?

The intent of this article is not to explain and dissect how SUNBURST TTPs or what digital steganography .

just because the big news for two months is about supply chain attacks !! I was like it’s a good starting point to link in a browser security and hidden spy !! hell yeah :D

Interestingly browsers have been abused for malicious tasks such as private information gathering, browsing history retrieval, or password theft — leading to a number of devastating attacks.

A recent investigative piece by The Washington Post found that up to 4 million people had been leaking personal info via malicious browser extensions.

And In Summer 2019, the Cybersecurity research firm “DataSpii” discovered eight Firefox and Chrome extensions that were gathering data from millions of users including several Fortune 500 companies.

Even though , According to Google’s own figures, over the last few years, nearly 10% of Chrome extension submitted to the store extensions were malware.

Of course , I would be remiss not mention a major “LastPass” breach that considered to be One of the catastrophic implication in browser extension, a vulnerability was discovered which allow leaks credentials from previous site been visited

https://bugs.chromium.org/p/project-zero/issues/detail?id=1930

Browser-based threats ;

Man in the browser attack

A man-in-the-browser (MitB) attack occurs when an attacker inserts a special type of trojan horse into the users’ web browser via a

  • Browser Extension,
  • User script
  • Browser Helper Object (BHO).
  • downloads malware infecting workstations.
    2- malicious malware infects the workstation browser.
    3- user access bank website requesting a transaction.
    4- malware records the transaction request and modify it
    5- contents are transferred to the hacker.
    6- The malware changes the transaction receipt to the user requested transaction to remain hidden.

Man in the browser attacks are committed against individuals and organizations as seen in the supply chain attack (Sunburst) . Per say The most challenging aspect of man in the browser attacks is the time gap. users don’t initially notice anything suspicious. Cause by nature those attacks are not active at first trigger though the malicious code would be activated in due course of time such as new update .

Malicious Browser Extension :

Sadly, in recent times extensions have been abused for malicious tasks such as private information gathering, browsing history retrieval, or password theft

Nevertheless , Data stealing using Browser extension is not new .

In contrast All modern browser provide security for browser extension on browser level using either “Access Control Settings” or URI Randomization.

Unfortunately hacker targets extension developers account or the third-party servers e.g. API/resources/sites where these extensions communicate. Once compromised, the extension becomes the information harvest factory.

How Malicious Browser Extension get Published in the Store !?

A number of tactics were used for newly submitted extension to pass Google screening and publicly available in the store. Some of the tactics includes choosing and unsuspecting title and Icon, requesting minimum permissions, encrypting payloads etc.

Initially , At the time of publishing these extension to google store , by design harmless on any end user. This shows that attacker can publish a targeted malicious extension bypassing it as legitimate one.

As cyber threat intelligence specialist , hunting the artifacts around aforementioned Techniques and Tactics “TTPs” I can assure you ,The various names used to identify specific cyber threat actors are less important than being able to identify and recognize the tell-tale digital fingerprints of a specific group’s malware. False flags in malware code and proxy servers make cyberattack or exploitation attribution far from an exact science. However, it can help when digital forensics investigators compare malware code samples and consider other contributing factors such as political motives and which adversaries are likely to have the technical skill to pull off such an attack.

so we will be addressing a weaponization in the cyber kill chain methodology when it comes to detecting malicious browser extension

While extensions/plugins are the most common approach for product owners and end user to extend the functionalities of modern web browsers and even security enthusiast are always in love to use these extensions to help their browsing experience more useful .

Persistent in the era Malicious Extension

The dangers of malicious browser extensions

While doing my daily threat hunting and pivoting activity, I came across a project that interestingly promises So to speak, I inspected the code behind the plugin — it has a malicious behavior.

Deep diving into the investigation and analyze the packaging approach Threat actor used .

below a set of questions when investigating Browser extension ;

  • Are they any permission required ?
  • What are the external covet channel ? URL , JavaScript

What permissions does it require?

When you first install the browser extension it asks for ;

  1. write access to multiple domains including Github, LocalBitcoins, and more.
  2. It requests access to all open tabs and your cookies — these permissions are abused a lot to steal your assets from various exchanges and wallet services.

Considering the above indicators and artifacts packed with the extension , What does it do?

  • in a sentence, it steals all your secrets depending on the domain per say mostly BTC or creds

Let’s look at the actual execution of malicious activity …
Step 1) Harvesting credentials ;

trigger on a click event on the login button to steal the email and password inputs, store them in LocalStorage and send them to their server in the backend without disrupting the normal login routine from the exchange.

Step 2) Stealing 2FA codes

it sends the inputted 2FA to their backend along with the email and password stored in LocalStorage and many more logical approach to hijack CSRF as well as payment token ; )

From threat intelligence , what did we find ?

  • — The bad actor addresses.
    — Backend servers and domains.
    — Russian code comments

Three main problems with browser extensions ;

1. Browser extension could be created for phishing purposes. In March-April 2020 researchers found malicious campaign, when threat actor set up Ads campaign to promote his phishing extensions, which were able to steal victim’s passphrase for crypto wallets:

2. Browser extensions can be used for collecting user’s information including all visited websites based on permissions :

3. Browser extensions can become malicious after compromise of developer or after selling access to another developer or it can be created with malicious purposes. For example, in 2018 Chrome extension for the MEGA.nz file sharing service has been compromised with malicious code that steals users’ credentials and private keys for cryptocurrency accounts ).

In 2019 researchers found extension in Chrome Web Store that steals credit card data of users, this extension was designed as fake Flash Player .

In 2019 YouTube Queue extension was compromised with malicious code after it was sold to new developer .

As we can see, malicious browser extensions can be found not only on GitHub-like websites, but in official marketplaces like Chrome Web Store too. After installation of extension from store, it will be auto-updated with every new version, in the same time one of updates can include malicious code. So to say this will bypass defending techniques

Toolkit for Analyzing Browser Plugins

For this purpose there are some open source tools, which can help to analyze the source code of extension:

https://github.com/Tuhinshubhra/ExtAnalysis
https://github.com/ElevenPaths/neto

In order to analyze browser extension without installation , you may require a third party tool to do so . The below website help in downloading the extension from respective sore Google / Firefox

https://crxcavator.io/

=> Following is a non-exhaustive list of analyst approach towards browser extension ;

  • Manifest analysis.
  • Internal file hashing.
  • Entities extraction using regular expressions: IPv4, email, cryptocurrency addresses, URL, etc.
  • Comments extraction from HTML, CSS and JS files.
  • Cryptojacking detection engine based on known mining domains and expressions.
  • Suspicious JavaScript code detection such as eval().
  • Certificate analysis if provided.
  • Batch analysis of previously downloaded extensions.

Dissecting Browser Extensions from Archive to Source Code ;

Before analyzing browser extension , we shall have a quick understanding of file types and file formats along with architectures ;

First its worth noting that ;

When an extension is created and signed by Google, it will be given a unique ID that becomes associated with the extension.

These unique IDs are 32 characters long, such as jifpbeccnghkjeaalbbjmodiffertghyu, To find out which is the extension ID for the Chrome extension .

In the browser URL tab ; chrome://system/

Manifest analysis

  • Every extension has a Field summary called Manifest.json which describe the function and basic info about the usage of browser extension

Every manifest must at least define “permissions” , “Resources “ and other directive for its functionality .

Noting screen shot below; browser action , content security policy and permissions all are indicators as of now that , the browser extension is suspicious ;

Internal file hashing : Scan hash in virus total or other scanning tools

[-] Architecture considering a WebEval is a living system which should be understood before taking a step towards file format and extension architecture

we will consider in general a glance at System Flow

An extension’s architecture will depend on its functionality, but many robust extensions will include multiple components:

Background script

The background script is the extension’s event handler; it contains listeners for browser events that are important to the extension. It lies dormant until an event is fired then performs the instructed logic. An effective background script is only loaded when it is needed and unloaded when it goes idle.

Usually , the definition for background is an evidence for our attention when it comes to malware analysis / investigation and looking for artifacts .

Entities extraction IPv4, email, URL, etc.

  • Crawling around files to find indicator of compromise or malicious URL used by threat actor for command and control

Inspecting source code from HTML, CSS and JS files.

Understating the logic will determine if the extension is benign or malicious

However, noting the script can be modified at any moment on server side and became harmful.

The progression of Malicious Code Delivery

in attachment GitHub Repo link ,you can find source code of auto Refresh extension, which was tagged as malicious. In addition, there is Reddit post when this extension was removed from Chrome Web Store: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/.

As you can see in “background.js” file, this extension downloads and executes JS script from remote website hXXps://static.trckingbyte[.]com/, which is not required for its functions. We found two versions of this script:

https://urlscan.io/responses/e1c1d2b0d2f45c9973ba4a3ef047b4e5e0a90d26f8bca51b74350851e5639652/

https://urlscan.io/responses/41aea411bb389efe06026ea152bac57f8958083fb54bfab34ebf0ca95cc34aac/

Does remove the plugin mean the system is safe again? Well , may or may not depending on the question ; wasn’t your computer already compromised ?

Three Web Attack Vectors Target the Browser

Three web attack vectors seem to be responsible for the majority of computer attacks that involve a web browser:

  • The attack can incorporate an element of social engineering to persuade the victim to take an action that compromises security.
  • The attacker can use the browser as a gateway for attacking web applications via techniques such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking.
  • The attacker can exploit a vulnerability in the web browser or in local software add-in

Trends and Lessons for Fighting Malicious Extensions

  • Chrome now automatically blocks all extensions not present in the store from installation unless the following flag is set –enable-easy-off-store-extension-install
  • Best Prevention is Safe Browsing ; Following are the few steps which can help us in safe browsing:
  • Install extensions only from official Web stores. Users should avoid extension installing by clicking on any links or downloading any files they receive via email unless they are absolutely certain that the sender is legitimate.
  • Limit on extensions installation. More browser extension can actually degrade computer performance and also open door for harmful activities to outside world.
  • Review the permissions carefully that the extensions ask for running. Do think twice before installing the extension or granting any permission post installation. If you see any inconsistency between required permissions and the functionality, should raise a flag and better not to install that extension.
  • new permission if there is a change in the extension,
  • Inspect Network Activity In Chrome DevTools. Any network traffic with an unusual URL is probably malicious. Also, avoid the extensions that communicates non-https URLs.

despite the symbolism of new beginnings that come with each new year, in the world of digital privacy, we’re still dealing with many of the same battles being fought around privacy as it has always been.

In conclusion, Over the past years, we have been analyzing and processing a lot of malicious samples. Yet, researcher expose wide-spread efforts by criminals to abuse the Chrome Web Store as a platform for distributing malicious extensions. A central component of our study is the design and implementation of WebEval, the first system that broadly identifies malicious extensions with a concrete, measurable detection rate of 96.5%. Over the last three years we detected 9,523 malicious extensions: nearly 10% of every extension submitted to the store. Despite a short window of operation — we removed 50% of malware within 25 minutes of creation — a handful of under 100 extensions escaped immediate detection and infected over 50 million Chrome users. Our results highlight that the extension abuse ecosystem is drastically different from malicious binaries: miscreants profit from web traffic and user tracking rather than email spam or banking theft that ported 50% of malware within 25 minutes of creation — a handful of under 100 malicious extensions distributed via binary payloads were able to infect nearly 50 million users before removal. We distill these observations into a number of key challenges facing app marketplaces that extend beyond just the Chrome Web Store.

In summary,;

• I present a comprehensive view of how malicious extensions in the Chrome Web Store

•A detail the design and implementation of our security framework that combines dynamic analysis, static analysis, and reputation tracking to detect 96.5% of all known malicious extensions.

• also highlighted the importance of human experts for reverse engineering

  • explore the virulent impact of malicious extensions.

References

https://blog.sucuri.net/2014/10/threat-introduced-via-browser-extensions.html
https://z3r0trust.medium.com/sunburst-malware-used-digital-steganography-4ece0040bcaa
https://www.phishfort.com/blog/chrome-extension-phishing.
https://twitter.com/sniko_/status/1235345036382003206,
https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/.
(https://www.zdnet.com/article/mega-nz-chrome-extension-caught-stealing-passwords-cryptocurrency-private-keys/
(https://business.blogthinkbig.com/chrome-extension-card-cybersecurity/).
(https://www.reddit.com/r/chrome/comments/bxxi17/youtube_queue_extension_malware/).
https://developer.chrome.com/docs/extensions/mv2/architecture-overview/
https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
https://docs.google.com/document/d/1vljnTtEHzJMAcjPO46GPJj5ohGKXH8vXBIj-SX2QY30/preview