Blog Post

The Internet’s New Arms Dealers: Malicious Domain Registrars

Discovery of a Massive, Criminal Surveillance Campaign

The Awake Security Threat Research Team has uncovered a massive global surveillance campaign exploiting the nature of Internet domain registration and browser capabilities to spy on and steal data from users across multiple geographies and industry segments. If anything, the severity of this threat is magnified by the fact that it is blatant and non-targeted—i.e. an equal opportunity spying effort. The research shows that this criminal activity is being abetted by a single Internet Domain Registrar: CommuniGal Communication Ltd. (GalComm).

By exploiting the trust placed in it as a domain registrar, GalComm has enabled malicious activity that has been found across more than a hundred networks we’ve examined. Furthermore – the malicious activity has been able to stay hidden by bypassing multiple layers of security controls, even in sophisticated organizations with significant investments in cybersecurity.


Download the Complete Report

Register for the Webinar

What Awake Security Found

  • Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools. Through a variety of evasion techniques, these domains have avoided being labeled as malicious by most security solutions and have thus allowed this campaign to go unnoticed. A tab-separated (TSV) list of these domains can be found here.
    Malicious domains uncovered as part of this campaign
  • In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc.
    Example of a lure to install a malicious Chrome extension
    • To date, there have been at least 32,962,951 downloads of these malicious extensions—and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020. For context, very few extensions have been downloaded more than 10 million times. A TSV list of IDs for these malicious Chrome extensions can be found here. A second TSV list including the IDs and names of just those extensions that were in the Chrome Web Store is available here. Awake has since worked with Google to take down these extensions from the Chrome Web Store.
  • After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network.
    The intersection of malicious Chrome extensions and traditional malware

Impact – Why This Matters

Trust in the Internet and its infrastructure is critical. Exploiting key components of this infrastructure – domain registration, browsers, etc., shakes the foundation of trust and represents a risk to organizations and consumers alike. The research shows three critical areas of fragility with the Internet that are being exploited to passively, but maliciously surveil users:

Domain Registrars

While these organizations are loosely governed by ICANN, there is very little active oversight. We believe registrars like GalComm can effectively function like cyber arms-dealers, providing a platform through which criminals and nation-states can deliver malicious sites, tools and extensions without consequences or oversight.

The “New Malware”

Browsers have replaced Windows, MacOS, etc. as the new operating system. Critical and popular applications like Microsoft 365, Google, Salesforce, Workday, Facebook, LinkedIn and Zoom live in our Internet browsers. Passively targeting these applications with malicious browser extensions is akin to the new attacker rootkit—giving the adversary virtually unfettered access to our business and personal online lives.

The Security Defenses that Failed

These campaigns have been ongoing for years while customers have deployed best in class security solutions. The research shows how attackers attempted to evade detection, but the TTPs, in this case, appears to have hit a blind spot in many traditional approaches to security—e.g. reputation engines, sandboxes and endpoint detection and response solutions.

While this research focuses on unearthing the details of this massive hacking campaign, it also leads to some fundamental questions about the fragility of the Internet. CIOs, CISOs and security teams in enterprises around the world are subject to extraordinary levels of audit, oversight, and accountability across countless regulations. How is it that the same does not apply to organizations like registrars who, in many cases, can wield far more power to do harm?

What Can Security Teams Do

Enterprise security teams would do well to recognize that rogue browser extensions pose a significant risk especially as more of our digital life is now conducted within the browser. Moreover, this threat is one that bypasses a number of traditional security mechanisms including endpoint security solutions, domain reputation engines, web proxies and cloud-based sandboxes. Security teams should, therefore, hunt on an ongoing basis for the tactics, techniques and procedures to compensate for the technological shortcomings.

Need immediate assistance? The Awake Labs incident response team can quickly determine the impact and help respond accordingly, visit https://awakesecurity.com/resolve-an-incident/.

Next Steps


Download the Complete Report

Register for the Webinar

 

Gary Golomb
Gary Golomb

Co-Founder & Chief Scientist