First of all, they avoided infecting users who were likely to be web developers. The extensions exhibited quite a high level of sneakiness by employing many tricks to lower the chances of detection. Not only that, but the cybercriminals were also collecting quite a lot of data about the users of the malicious extensions, such as all of their search engine queries or information about everything they clicked on. After reverse engineering the obfuscated JavaScript, we found that the main malicious payload delivered by these extensions was responsible for malicious browser redirects. These other extensions offered various legitimate functionality, with many of them being video downloaders for popular social media platforms. Continuing from his findings, we managed to find many other extensions that were doing the same thing.
He discovered that the Chrome extension “Video Downloader for FaceBook™” (ID pfnmibjifkhhblmdmaocfohebdpfppkf) was stealthily loading an obfuscated piece of JavaScript that had nothing to do with the extension’s advertised functionality.
We initially learned about this campaign by reading a Czech blog post by Edvard Rejthar from CZ.NIC. We found that CacheFlow would carry out its attack in the following sequence:ĭistribution of Avast users that installed one of the malicious extensions We believe they tried to solve two problems, command and control and getting analytics information, with one solution. In addition, it appears to us that the Google Analytics-style traffic was added not just to hide the malicious commands, but that the extension authors were also interested in the analytics requests themselves. We alerted both Google and Microsoft about the presence of these malicious extensions on their respective extension stores and are happy to announce that both companies have since taken all of them down as of December 18, 2020.ĬacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We described a huge campaign composed of dozens of malicious Chrome and Edge browser extensions with more than three million installations in total. This blog post brings more technical details on CacheFlow: a threat that we first reported about in December 2020. But that is not always the case as we recently found. We usually trust that the extensions installed from official browser stores are safe. Chances also are your web browser has various extensions that provide additional functionality. Chances are you are reading this blog post using your web browser.
0 kommentar(er)
