CSP-CERT® Security Advisory:
Malicious Chrome Extension

by CSP-CERT® Research Science
posted December 2017

On December 21, 2017, we noticed malicious behaviors on Facebook. Some users received random messages and posts that contain a zip file discussed in our first analysis where we listed down what will happen if you downloaded and opened the malicious file on your device.

Today, we created a follow up analysis on the CryptoMiner that spams Facebook users. The malicious file runs a script that installs an additional extension in your Chrome browser. Upon checking the configuration file, our researchers identified the behavior of the malicious chrome extension being installed in your machine.


Figure 1.0 A Preview of the Behavior of the miner

It’s using a cryptonight algorithm used for CPU-mining, which is also used by many popular web-based cryptominers.


Figure 2.0 A preview in Chrome Extension Config File

ATTRIBUTION IN FACEBOOK


Based on Cyren Security Labs it delivers the malware using the following attribution.


Figure 3.0 The cryptominer archive is retrieved from the threat actor’s server and uploaded to Facebook’s server using a randomly generated file

Figure 4.0 The message with the link attachment is sent to each account retrieved on the friends list of the victim

THE EXTENSION


This cryptominer is conducting an online campaign to distribute its malware and the configuration file looks like the following


Figure 5.0 A Preview in configuration file

The configuration file is located here : hXXp://plugin.asesik.redep[.]bid/config

We created a simple script to monitor the behavior of the server that generated random URLs for the malware campaign. Visit this link to check the list of URLs.


PREVENTION AND MITIGATION


To prevent your system from being exploited and your employees from visiting this malicious link, we advise blocking the IP and Domains related to the malware campaign and DO NOT download or open suspicious links.


Thanks for reading the article!


Regards!