![]() “It is suspicious if an extension requests a permission that is not needed for its advertised functionality. “To lower the risk of being infected by a malicious extension, we recommend that users review carefully the permissions requested by the extensions they intend to install,” Rubin added. It is unlikely that the actors will use the same malware since it is now easily detectable, the researchers said, adding that this campaign “has shown that even popular browser extensions installed from official browser stores can contain malware. Google and Microsoft had both taken down all of the malicious plugins in their stores as of December 18, 2020. Read more of the latest news about malware “Moreover, the extensions can download and execute arbitrary JavaScript with access to the browser extension API, even putting the victim’s payment card data at risk,” researcher Jan Rubin told The Daily Swig. ![]() Researchers said that the main risk to users is their personal information being exposed. Google Play reviews cited issues with extensions such as adware as far back as October 2017, leading the team to believe that CacheFlow has been active since at least that time. On further inspection, the team found that “many other extensions were doing the same thing”. Widespread problemĪvast Threat Labs researchers came across the campaign after Czech researcher Edvard Rejthar from CZ.NIC published this blog post. Researchers believe that the malicious authors were also interested in the analytics requests themselves. “CacheFlow also checked every Google search query and if the user was googling for one of the malware’s command and control (C&C) domains, it reported this to its C&C server and could deactivate itself as well.”ĬacheFlow was notable in particular for the way that the malicious extensions would try to hide their C&C traffic in a covert channel using the Cache-Control HTTP header of their analytics requests, noted researchers. “They determined this either through the extensions the user had installed or by checking if the user accessed locally-hosted websites.”It adds: “When the malware detected that the browser developer tools were opened, it would immediately deactivate its malicious functionality. “First of all, they avoided infecting users who were likely to be web developers,” Avast Threat Labs said. ![]() ![]() It also avoided detection by assessing whether its victim would have the technical knowledge to spot it on their device.Īn image shows the various steps undertaken by the CacheFlow malware, courtesy of Avast Threat Labs Interestingly, the malware itself did not trigger until three days after the extension was downloaded to avoid immediate detection. The blog post published yesterday (February 3) details how the attackers were able to go unnoticed by a victim before the campaign was discovered in December 2020. A number of the plugins were available on the browsers’ official stores.Īffected extensions included Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, and VK Unblock. The malware was spread via dozens of malicious Chrome and Edge browser extensions that had an estimated combined three million downloads. “This can optionally send a command to redirect the victim from the real link target to a new hijacked URL before redirecting them to the actual website they wanted to visit.” Hidden danger “Anytime a user clicked on a link, the extensions sent information about the click to the attacker’s control server,” researcher Jan Vojtesek told The Daily Swig. YOU MAY LIKE Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’ It attempted to steal personal information such as birth dates, email addresses, geolocations, and device activity taken from a victim’s Google account, before sending it back to the attacker’s control server.ĬacheFlow also replaced links from Google, Bing, and other search engine queries with hijacked links serving phishing sites and advertisements. The malware in question, which was hidden in popular third-party web extensions, contained backdoors that downloaded and executed arbitrary JavaScript. Affected web plugins had more than three million downloads combinedĭata-stealing malware that hid undetected for years shows that even popular web browser extensions can be vulnerable to exploitation, security researchers from Avast Threat Labs have warned.Ī blog post from Avast Threat Labs researchers contains technical details on how the malware, titled ‘CacheFlow’, went undetected for at least three years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |