The Internet’s New Arms Dealers: Malicious Domain Registrars

The Internet's New Arms Dealers: Malicious Domain Registrars reportThis report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign affecting millions of users. The campaign involved thousands of domains and hundreds of malicious Chrome extensions with all the activity tying back to single internet domain registrar: Gal Communication (CommuniGal) Ltd (GalComm).

This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input. Google has taken down these extensions following Awake’s disclosure. However, this campaign was able to avoid detection by state-of-the-art security tools through a number of evasion schemes.

Report highlights:

  • The attacker’s infrastructure including 15,160 malicious/suspicious domains and 111 malicious or fake Chrome extensions with approximately 33 million downloads
  • The connections between this campaign and a number of traditional malware families
  • How the attacker was able to avoid detection by sandboxes, endpoint detection and response (EDR) solutions, web proxies etc.
  • How Awake connected the dots to one domain registrar

malicious chrome extension activity