# Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading

**gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-**
loading/

GoSecure Titan Labs February 10, 2022

GoSecure Titan Labs received a malicious Chrome extension sample that we are calling
ChromeBack (a4424f32a10770b7e486a38823f166ff ) from GoSecure’s Titan Managed
Detection and Response (MDR) team. After creating a detection for GoSecure Titan
Endpoint Detection & Response (EDR) to ensure that we can identify this threat for our
clients, the GoSecure Titan Labs team is ready to spread the word and share how to address
this serious issue that some users are already experiencing. The potential impact of
ChromeBack is extensive, ranging from browser traffic hijacking and ad-redirection to
deactivation of other extensions and even the activation of developer mode without the
user’s knowledge.

## Analysis


-----

This browser extension was identified as it was being downloaded via a Base64-encoded
PowerShell command as displayed in Figure 1 below.

_Figure 1: Base64-Encoded Powershell Command_

The encoded script begins with hard-coded variables, including the domain hosting the
malware, ithconsukultin[.]com, and the location it will download its payload to,
_%LOCALAPPDATA%\chrome._

_Figure 2: Hard-coded Values_

Next, the script will use Test-Path to check for the %LOCALAPPDATA%\chrome path. If it
does not exist, the script will use wget to download the malicious Chrome extension from
hxxp://ithconsukultin[.]com/archive[.]zip?iver=2 to %LOCALAPPDATA%\chrome as
archive.zip. Expand-Archive is used to unpack the archive to %LOCALAPPDATA%\chrome
before deleting the archive.zip file using Remove-Item.


-----

_Figure 3: Downloading Extension_

If the %LOCALAPPDATA%\chrome path does exist, the script will check for a previously
installed version of itself by using Get-Content for the file
_%LOCALAPPDATA%\chrome\background.js, which is the main code of the malicious_
browser extension. The content of background.js will be split into an array and a base64encoded tracking id, and the domain used to serve advertisements will be stored and
checked against the result of a wget to hxxp://ithconsukultin[.]com/un?iver=2&did=<addomain>&ver=<tracking-id>.

If the ad domain from background.js matches the result, Unregister-ScheduledTask will be
called to remove a scheduled task named Chromeloader before recursively deleting the
_%LOCALAPPDATA%\chrome path and downloading the ChromeBack extension from the_
alternate URL hxxp://ithconsukultin[.]com/archive.zip?iver=2&did=<ad-domain>&ver=
<tracking-id>.


-----

_Figure 4: Removing Existing Version and Re-Downloading_

The final step of the script loads the downloaded ChromeBack extension into Chrome using
the `--load-extension argument. Get-Process will be invoked for Chrome and`
_.CloseMainWindow() will be used to close any running instances of Chrome. Once all_
instances are closed, a new instance of Chrome is called using start or Start-Process and
with the `--load-extension argument and the path to ChromeBack, as well as` `--`
```
restore-last-session, --noerrdialogs, and --disable-session-crashed-bubble .

```

-----

_Figure 5: Loading Extension with_ `--load-extension`

Further investigation of the `--load-extension argument has shown it as a lucrative`
infection vector for many Chromium-based browsers. By using `--load-extension, an`
unpacked Chrome extension can be loaded from local storage, providing a side-loading
vector for malicious extensions. Additionally, loading of unpacked extensions usually requires
the enabling of Developer Mode, which typically includes a visible user agreement prompt.
However, when `--load-extension is invoked, the user is not prompted or even notified`
that an unpacked extension has been loaded, and developer mode will appear as not
_enabled if someone checks. Microsoft Edge is the only browser among those we tested that_
provides the user a notification of the loaded extension. Chrome, Chromium, Opera, and
even security focused browsers such as Comodo Dragon and Avast Secure Browser leave
the user with no indication of any changes. Any JavaScript file with an accompanying
manifest file can be loaded as an extension in this way, allowing for a wide range of
malicious functionality to be added. A user’s shortcut to their browser could be modified with
the `--load-extension argument allowing malicious code to load each time the browser is`
launched to achieve persistence.

_Figure 6: Arbitrary JavaScript Loaded Without User Warning_


-----

_Figure 7: Developer Mode Appears Off_

_Figure 8: Microsoft Edge Warning Message_

The extension in question for ChromeBack consists of a manifest file, icon image, and a
heavily obfuscated JavaScript file, background.js (b02455ddbc78841c2e3087fab5a9f9b2).
Once installed, ChromeBack appears as Properties with ID
_andnkmffoleapmidfgnnjjoepadbiika and permissions for contextMenus, tabs, storage,_
_browsingData, webRequest, webRequestBlocking, privacy, alarms, management, ://*/*, and_
_chrome://*/*. The last two permissions in this list allow for web request control for any URL,_
allowing blocking or modification of any web request.


-----

_Figure 9: Installed Extension Information_


-----

_Figure 10: Permissions and Info from Manifest_

The main functionality of ChromeBack redirects search requests to Google, Yahoo, or Bing
through its own domain, tobepartou[.]com, as well as periodically serving its own
advertisements via Chrome alarms. The extension’s first code is a listener using the
_runtime.onInstalled event, which activates when the extension is first installed, seen below._


-----

_Figure 11: onInstalled Functionality_

Local data for lastQuery,, and is, which are local variables used by the extension, will be
removed. Two alarms, hb and are also created. hb will first trigger after a delay of 1.1
minutes, then every 180 minutes after that. will first execute at 5 minutes, then every 30
minutes. Next, the analytics function will be called with the argument install, and the sync
function is called. The analytics function of ChromeBack uses the navigator.sendBeacon
method of Chrome to send a small packet of data via an HTTP POST request. The POST
request will be made to the URL hxxps://tobepartou[.]com/<arg-1>?
ext=Properties&ver=4.4&dd=<id>, and if a second argument is provided, &info=<arg-2> will
be appended to the URL.

_Figure 12: Analytics Function_

The sync function will send a GET request to hxxps://tobepartou[.]com/redsync, which
redirects to hxxps://freychang[.]fun. Hosted at hxxps://freychang[.]fun is a 16-digit number
which is then passed to the sync function as the second argument along with the string sync
for a call to analytics(). The result is a post to hxxps://tobepartou[.]com/sync?
ext=Properties&ver=4.4&dd=<id>&info=<number>.


-----

_Figure 13: Sync Function_

_Figure 14: hxxps://freychang[.]fun Data_

Next, ChromeBack will use the management.getAll method to get information on all other
running Chrome extensions and pass that info to the handleInstalledExtensions function.
_handleInstalledExtensions will send a POST request to hxxps://com.tobepartou[.]com/ext?_
ext=Properties&ver=4.4&dd=<id> with a JSON object of a stringified list of running
extensions as the data. Then, the list will be parsed and the Chrome
_management.setEnabled method will be called to set the value for each extension to !1,_
disabling all other extensions.

_Figure 15: handleInstalledExtensions Function_

_Figure 16: Disabling Extensions from handleInstalledExtensions_

There is a running listener for alarms.onAlarm events; When the hb alarm triggers,
ChromeBack executes its analytics function with the argument hb, and the sync function.
When the alarm triggers, the getAd function is called.


-----

_Figure 17: onAlarm Listener_

The getAd function calls a second function, openAd. openAd executes a GET request to
hxxps://tobepartou[.]com/ad?ext=Properties&ver=4.4&dd=<id>. The response contains a
URL with the intended advertisement to serve, hxxps://a[.]nel[.]cloudflare[.]com/report/v3?s=
_<id-for-ad>. The Chrome tabs.create method is then called to create a tab with the served_
advertisement.

_Figure 18: openAd Function_

The listener is created with the intention to redirect search results using the
_webRequest.onBeforeRequest method. When a request is made, it is checked against the_
indexes of Google, search.yahoo, and Bing. Any requests to these domains will be blocked,
and the search query stripped from the URL and appended to the end of a new target URL,
hxxps://tobepartou[.]com/search?ext=Properties&ver=4.4&is=1&q=<query>. After the first
redirection, the browser will be redirected again to a Bing search for the original query.


-----

_Figure 19: Redirection of Search Results_

Within Chrome, users are typically able to see and manage access for all of their extensions
in one tab chrome://extensions. An additional interesting evasion method used by
ChromeBack is, upon a request to chrome://extensions, the tab will be removed and a new
tab of chrome://settings will be created. This prevents a user from reaching the page to
manage extensions, adding a hurdle for more novice users.


-----

_Figure 20: Code for Preventing Access to Extensions_

## Conclusion

The ChromeBack extension is a browser hijacker, redirecting traffic and serving
advertisements to users. Its utilization of the `--load-extension argument outlines an`
interesting vector for injection of malicious code into a browser without the knowledge of the
user. Users may not be aware that they have been compromised, especially since Developer
Mode can be enabled without notification. Identification is possible with tools like GoSecure
Titan Endpoint Detection & Response (EDR) and through a review of the information
provided in this blog. To read more from GoSecure Titan Labs and our extensive security
[investigations, be sure to check this blog regularly and follow us on Twitter and](https://twitter.com/GoSecure_Inc) [LinkedIn.](https://www.linkedin.com/company/gosecure/)

**Malware Analyst:** [Matthew Hood](https://www.linkedin.com/in/matthew-hood-585b12192/)

## Indicators of Compromise


-----

```
+ + +
| Type  | Indicator            | Description              
|
+========+==================================+=========================================
| MD5  | a4424f32a10770b7e486a38823f166ff | ChromeBack Extension Zipped
(Archive.zip) |
+--------+----------------------------------+------------------------------------------+
| MD5  | b02455ddbc78841c2e3087fab5a9f9b2 | ChromeBack Extension Code
(Background.js) |
+--------+----------------------------------+------------------------------------------+
| DOMAIN | ithconsukultin[.]com       | ChromeBack Initial Download Domain   
|
+--------+----------------------------------+------------------------------------------+
| DOMAIN | tobepartou[.]com         | ChromeBack Contact Domain       
|
+--------+----------------------------------+------------------------------------------+
| DOMAIN | freychang[.]fun         | ChromeBack Contact Domain       
|
+--------+----------------------------------+------------------------------------------+
| DOMAIN | a[.]nel[.]cloudflare[.]com    | ChromeBack Ad Hosting Domain      
|
+--------+----------------------------------+------------------------------------------+
| ID   | andnkmffoleapmidfgnnjjoepadbiika | ChromeBack Extension ID        
|
+========+==================================+=========================================

## Detection

```
GoSecure Titan Labs are providing the following signatures to help the community in
detecting and identifying the threats discussed in this report and have deployed additional
detection as part of our MDR service.


-----

```
alert http any any > $EXTERNAL_NET any (msg: GS MALWARE ChromeBack Browser Hijacker
Query Redirection";
content:"GET"; http_method;
content:"/search?ext="; http_uri; fast_pattern;
content:"&ver="; http_uri; distance:0;
content:"&is="; http_uri; distance:0;
content:"&q="; http_uri; distance:0;
flow:to_server, established;
metadata:created 2022-01-18, type malware.stealer, os any, tlp white;
classtype:trojan-activity; sid:300001853; rev:1;)
alert http any any -> $EXTERNAL_NET any (msg:"GS MALWARE ChromeBack Browser Hijacker
getAd";
content:"GET"; http_method;
content:"/ad?ext="; http_uri; fast_pattern;
content:"&ver="; http_uri; distance:0;
content:"&dd="; http_uri; distance:0;
flow:to_server, established;
metadata:created 2022-02-08, type malware.stealer, os any, tlp white;
classtype:trojan-activity; sid:200000000; rev:1;)
alert http any any -> $EXTERNAL_NET any (msg:"GS MALWARE ChromeBack Browser Hijacker
Sync";
content:"GET"; http_method;
content:"/sync?ext="; http_uri; fast_pattern;
content:"&ver="; http_uri; distance:0;
content:"&dd="; http_uri; distance:0;
flow:to_server, established;
metadata:created 2022-02-08, type malware.stealer, os any, tlp white;
classtype:trojan-activity; sid:200000001; rev:1;)
alert http any any -> $EXTERNAL_NET any (msg:"GS MALWARE ChromeBack Browser Hijacker
Home Beacon";
content:"POST"; http_method;
content:"/hb?ext="; http_uri; fast_pattern;
content:"&ver="; http_uri; distance:0;
content:"&dd="; http_uri; distance:0;
flow:to_server, established;
metadata:created 2022-02-08, type malware.stealer, os any, tlp white;
classtype:trojan-activity; sid:200000002; rev:1;)

```

-----