Originally created to extend a browser’s functionality, browser extensions have become yet another tool for cybercriminals’ schemes. Earlier this year, Google has addressed the issue of malicious browser extensions by enforcing a policy that only allows installations if the extensions are hosted in the Chrome Web Store.
While this policy can provide more security for users, it hasn’t completely deterred cybercriminals from attempting to bypass such a feature. We recently came across malware that manages to install an extension on Google Chrome.
“Facebook Secrets” on Twitter
We came across one particular post on Twitter that advertises “Facebook Secrets,” along with a shortened link. Clicking the link leads the user to a site that automatically downloads an .EXE file into the user’s system.
Figure 1. Tweet with malicious link
This downloaded file, download-video.exe, is actually a downloader malware, which we detect as TROJ_DLOADE.DND. This starts a chain of downloaded and dropped files into the system. In order to avoid suspicion, these files use legitimate-sounding file names like flash.exe.
Installing Browser Extensions
Aside from the downloaded and dropped files, a browser extension is also installed into the system. It pretends to be a Flash Player extension.
Figure 2. Fake Flash Player extension
In order to bypass Google’s security policy, the malware will create a folder in Google Chrome’s directory where it will be drop browser extension components:
- manifest.json – contains browser extension description (name, script to load, version, etc.)
- crx-to-exe-convert.txt– contains the script to be loaded, which can be updated anytime by connecting to a specific URL
For the browser extension to work, the browser will then parse the information in the dropped component manifest.json.
Figure 3. Extension folder before the malware performs its routine
Figure 4. The created folder and dropped extension components
Should the user open Facebook or Twitter, the extension opens a specific site in the background. The site is written in Turkish and phrases such as “bitter words,” “heavy lyrics,” “meaningful lyrics,” “love messages,” and “love lyrics” appear on the page. This routine could be a part of a click fraud or redirection scheme.
Figure 3. Turkish site
Social media has become a commonly used social engineering lure. However, this type frequency hasn’t made it any less effective. For example, the tweet had been retweeted more than 6,000 times when we came across it. This means that this scheme has been making rounds in Twitter, casting a wide net of potential victims. We advise users to avoid clicking shortened links, especially those advertised in social media. Cybercriminals will do just about anything to convince users to click links.
We also advise users to install browser extensions from official and reputable sources. While Chrome may have some security measures, the same cannot be guaranteed for other browsers.
With additional insights from Rhena Inocencio and Adrian Conferos.