Malicious Chrome extensions pose significant risks to users, as they can compromise personal information, inject unwanted promotions, and even manipulate web traffic as well.
There are several malicious extensions that remain undetected for extended periods, and this primarily happens due to inadequate moderation by the Chrome Web Store.
eSentire’s Threat Response Unit (TRU) researchers recently identified a malicious Chrome extension that delivers weaponized ZIP archives.
Malicious Chrome Extension
eSentire’s Threat Response Unit discovered a sophisticated malware attack in August 2024, and this malware attack involved two malicious elements, a LummaC2 stealer and a malicious Google Chrome extension.
The attack began with a drive-by download of a malicious ZIP file that is named “x64x32installer___.zip”, and this malicious ZIP file contains an MSI file.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
To obtain a password, this file establishes communication with a server at “get-license2[.]com,” and then the obtained password is used by threat actors to extract the malicious DLL called “rnp.dll.”
Now here at this point to load the malicious DLL, threat actors used DLL side-loading using a legit program which is part of OpenPGP cryptographic tools, “rnpkeys.exe.”
This process led to the deployment of the LummaC2 stealer and a PowerShell command. These two elements help in retrieving and decrypting the additional payload from “two-root[.]com.”
The final stage involved installing a malicious Chrome extension named “Save to Google Drive”, which could interact with cryptocurrency accounts on platforms like Facebook, Coinbase, and Google Pay, eSentire added.
.webp)
This extension had capabilities to manipulate account balances, potentially execute transactions, and collect extensive system and browser information, including:-
- Hardware details
- Installed extensions
- Cookies
- A unique device identifier
All gathered data was then transmitted to a command and control (C2) server.
Using the “getInjections” function, a browser extension created with malicious purposes was found that changes Native browser functionalities.
It opens popups fairly concealed from the user’s view to follow some URLs such as payments.google, consent.youtube.com, accounts.google.com and adsmanager.facebook.com.
The extension works well with email providers such as Outlook, Gmail, and Yahoo Mail where configuration from chrome.storage.local is injected into web pages and changes the content.
Since it is able to change the mail content, so, due to this ability it may grab two-factor authentication codes as well.
Integration is with CursedChrome, also considered to be an implant that converts compromised browsers into HTTP proxies for the perpetrator to surf as the victim .
Besides this, it also sends tab screenshots to the C2 server with the help of the “makeScreenShot” function.
The C2 addresses are encoded and then used as Base58 from the URLs of the mempool and blockchains in relation to a certain bitcoin address “bc1qvkvzfla6wrem2uf4ejkuja8yp3c6f3xf72kyc9.”
This attack chain executes through the loader using the DLL side loading to deploy the LummaC2 stealer and the malicious extension.
In response to this, a 24/7 SOC team isolated the infected host and assisted with remediation.
Recommendations
Here below we have mentioned all the recommendations:-
- Secure devices with EDR solutions.
- Provide phishing awareness training.
- Educate on emerging threats.
- Set script files to open in Notepad.
- Prevent automatic script execution.
IoCs
C2s:
http://run-df[.]com/gAySB.php?cnv_id=false&value=1
http://hit-1488.com/test_gate0117[.]php?a=XyLGVaXA1cIfBjj&id=0
get-license2[.]com
publicitttyps[.]shop
true-lie[.]com
true-bottom[.]com
two-root[.]com
Download Free Incident Response Plan Template for Your Security Team – Free Download