Blog Post

Google Doppelganger & Malicious Chrome Extension

A common tactic for black hat adversaries is to trick users into thinking the domain they are visiting is operated by a legitimate and trusted entity, such as Google, Facebook, Yahoo, Apple, etc. One strategy to do this is to use a domain name that resembles the legitimate ones for these organizations. We call these domains “doppelganger domains” for their strikingly similar appearance to trusted entities. As one might expect these doppelganger domains cannot, and should not, be trusted. They range from sites that look legitimate and attempt to harvest credentials, to sites that cause a series of redirects hoping to trick users into downloading malware. We are going to dive into the latter case.

Technical Details

Malicious actors have a knack for convincing users to download their software. In today’s day and age that takes the form of browser extensions. Many of them, such as the one we examine here, are advertised as useful tools – converting file types, applying coupons, price-checking items, managing tabs, etc. In a world where time is money and our society pushes for things to be done more efficiently than ever, these browser extensions are quite enticing. Does the phrase “Trojan horse” ring a bell?

We recently encountered a situation while hunting in a customer environment. A user appeared to have accidentally mistyped “Google” when starting up a new browser session. The screenshots below depict the attack sequence starting with the initial DNS request and ending with the download of the malicious Chrome extension. There were a total of four redirects, each one to a malicious domain (including as you can see some Google doppelganger domains), that occurred in the matter of a second – something a user might’ve missed had he/she not been paying close attention. The end result of this redirect chain is the downloading of a malicious Chrome extension.

Figure 1: Screenshot of the Attack Map (sanitized)

This extension is aimed at converting files within the browser and therefore has the ability to read and write data within the browser. It takes advantage of its ability to read data in the browser to monitor everything that the user does – Internet search queries, history, pages viewed, pages visited, time spent on pages, files downloaded, email, etc. Furthermore, the extension takes advantage of its ability to write data in the browser by modifying the browser’s homepage, default search engine, new tab URL, and also causes redirects while users are going about their business online. As if this was not bad enough already, the extension will also track system related information such as the IP address of the machine, geolocation in the form of longitude and latitude degrees (close enough to pinpoint a specific cul-de-sac in a neighborhood as we found in our analysis), continent, country, state, time zone, postal code, network speed, ISP, associated organization, browser version, operating system type, version, and … you get the point. The information collected is then sent out of the network in an HTTP POST request. One can only assume this data is collected, logged and then likely sold repeatedly to anyone willing to pay. .

Figure 2: User prompt to download and install the chrome extension

This plethora of user and system data collected is a perfect starting point for planning and executing a sophisticated attack against an individual and/or firm. Knowing what a user does online – what they search, view, access, save, etc. – allows a malicious actor to craft a very targeted and convincing phishing email. Additionally, a malicious actor could use the system related information – operating system, operating system version, browser, browser version, etc. – to customize further attacks to take advantage of a particular vulnerability in the hardware or software being used. Another very plausible takeaway here is that the extension could be acting as a keylogger and stealing users’ credentials among other data. What’s easier than stealing credentials and logging in (which may send an alert via text or email that a login is happening from a new IP address)? Stealing cookies! When a user logs in to a website, the site often returns a cookie that identifies the user account and confirms that he/she has successfully logged into the site. When a user interacts with the site, it will use that cookie as confirmation that he/she is a logged-in user. Therefore, if an attacker steals this cookie and then injects it into his/her own browser, they can effectively be logged in as that user without ever entering credentials. In other words, they just stole a session.

While some of you may be reading this and thinking, “So they track what I do online – big deal, I have nothing to hide or protect in the browser.” The reality these days is much different. More and more businesses are adopting technologies such as Office 365, Salesforce, Dropbox and others alike where all you need is a browser to access your business documents, spreadsheets, slide decks, customer lists, revenue details, etc. As businesses continue to move forward with browser-based technologies, the emphasis on protecting the browser needs to rise in tandem. The problem is that many security technologies out there today are not looking for browser-based threats or man-in-the-browser attacks. In fact, I would argue they can’t. Endpoint Detection & Response (EDR) tools do not catch these threats because, typically, there are no executables dropped onto the system. In working with even sophisticated customers with best in class security tools, we often uncover such malicious Chrome extensions and when we report on them, the customer often is surprised. This leaves the door wide open for adversaries. They know it, and they are actively exploiting it on a massive scale.

It is also worth mentioning that this extension (bmganiiidiojeemcdkhjbgpeoneoddah) has been linked to several other extensions that are also classified as browser hijackers. They all have the same goal – track users’ movements online, redirect them to nefarious sites, hijack new searches, change browser settings, etc. Many of them are still available on the Google store, just as this Best File Converter is. Google has been notified that this extension exhibits malicious behavior.

Detecting and Investigating the Threat

By sitting at the network level, Network Traffic Analysis (NTA) and Network Detection & Response (NDR) solutions such as Awake can easily analyze connections going in and out of the network to determine mal-intent, which has proven time and time again to be an excellent complement to endpoint tools. Awake Security has adversarial models that automatically detect Chrome extensions, especially those of the unregistered variety engaging in suspect activity. These detections are placed in the context of other suspect activities both in a timeline view per device as shown below and as a Situation describing the attack sequence.

Here is another example of an adversarial model in the Awake Security Platform:

When the team discovers a rogue extension like this, unfortunately, it’s not like that’s the end of their work effort. In many ways, that’s when the work begins. The team must investigate and determine a few things, such as:

  • How long the browser extension was on the systems?
  • What does the extension really do?
  • Who logged into the system while the extension was installed?
  • What data was stolen?
  • How many other instances of the extension are in the network?

Again Awake makes this easy. As the screenshot below shows, finding the 138 other devices with this same extension (noted in the first screenshot above) is a breeze. Without this kind of capability, we find customers struggle to answer some of the investigation questions below and are left to “hunt” for this data, something that can be both tedious and laborious.

Pivoting on the 138 yields:

Remediation

If just one user has a malicious Chrome extension, the problem is rather small and easy to remediate, especially if the infection is contained within the browser. For these cases, one can navigate to the browser settings -> more tools -> extensions and see the list of installed browser extensions.

However, this is not always the case. Many times extensions will download additional malware which may not be browser-based. In these cases, a full computer scan is warranted.

Then there is the situation where dozens, or even hundreds of these extensions are on the network or if the extension is found on a sensitive user’s system. This poses a serious issue for the security team that can be difficult to manage without the ability to quickly identify the full impact of the attack, something Awake automatically computes for you.

Eric Poynton
Eric Poynton

Lead Network Threat Hunter