Threat actor goes on a Chrome extension hijacking spree | Proofpoint US By August 14, 2017 Kafeine Published: 2017-08-14 · Archived: 2026-04-06 00:57:23 UTC Overview Chrome Extensions are a powerful means of adding functionality to the Chrome browser with features ranging from easier posting of content on social media to integrated developer tools. At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s  Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft. We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12]  were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June. Analysis On August 12 Chris Pederick reported [1] that his Extension, Web Developer for Chrome, had been compromised (Figure 1). Figure 1: Chris Pederick’s tweet from August 2, 2017 regarding the compromise of his Web Developer for Chrome Extension We retrieved the compromised version and isolated the injected code. Figure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromised https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 1 of 14 Figure 3: Snippet of the inserted code in content.js from the compromised version of Web Developer 0.4.9 In general terms, the compromised extension first checks to ensure that the Chrome Extension has been installed for 10 minutes using the following line of code: if ((Date.now() - installed) > 10 * 60 * 1000) Before proceeding with the rest of the extension code, compromised components of the extension retrieve a remote file, ga.js, over HTTPS from a server whose domain is generated via a domain generation algorithm (DGA): var date = new Date(); var day = date.getUTCDate(); var month = date.getUTCMonth() + 1; var year = date.getUTCFullYear(); var hour = date.getUTCHours(); var d = day + '-' + month + '-' + year; var hash = "wd" + md5(d) + ".win"; On August 2, for example, the network request was: https://wd7bdb20e4d622f6569f3e8503138c859d[.]win/ga.js. At that time, the file was served by Cloudflare. The day after, the network request was: https://wd8a2b7d68f1c7c7f34381dc1a198465b4[.]win/ga.js Figure 4: Step 1 remote ga.js code called by the victim’s browser using the compromised extension - retrieved August 3, 2017 https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 2 of 14 Figure 5: Array contained in the ga.js after unescaping; note that Cloudflare immediately removed the domains when we notified them of the malicious activity The code from this first step allows the threat actors to conditionally call additional scripts including some to harvest Cloudflare credentials: Figure 6: Conditionally called Step 2 script allowing the actor to grab and exfiltrate Cloudflare credentials after the victim’s login At step 2, several other scripts can be called (Figure 7): Figure 7: Some of the calls generated by the injected ga.js As shown in Figure 8, the compromised version of the extension attempts to substitute ads on the victim’s browser, hijacking traffic from legitimate advertising networks. https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 3 of 14 Figure 8: Sample of strings that trigger a substitution attempt (from 973820_BNX.js?rev=133) While the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted substitutions on adult websites (Figure 9). https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 4 of 14 https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 5 of 14 Figure 9: Code snippet demonstrating the extensive effort involved in properly substituting advertisements in adult websites; retrieved on August 3, 2017 from 973820_BNX.js?rev=133 Figure 10 shows several additional triggers for advertising substitutions, again on adult websites and particular advertising networks: Figure 10: Other substitution triggers (695529_BNX.js?rev=144) The advertising substitutions work for a specific set of 33 common banner sizes including 468x60, 728x90, and many more spanning numerous aspect ratios (Figure 11). Figure 11: Banner formats handled by the compromised extension based on a version retrieved on August 3, 2017 rom 973820_BNX.js?rev=133 The advertising calls themselves specify the substituted banner format. For example, one particular ad call read: b.partner-net[.]men/code/x/b/?pid=973820&adu=0&s=468x60 In many cases, victims were presented with fake JavaScript alerts prompting them to “repair” their PC then redirecting them to affiliate programs from which the threat actors could profit. Figure 12 shows a malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used. https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 6 of 14 Figure 12: Chain to affiliate program from a  fake JavaScript alert The code generating the fake alert page is shown in Figure 13: Figure 13: Code generating the fake JavaScript alert Figure 14: One of the affiliate programs receiving the hijacked traffic https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 7 of 14 Figure 15: Another affiliate program receiving the hijacked traffic. The popup alerts were also reported in May with the “Infinity New Tab” compromise. The involved code in that compromised extension [5] is almost identical, but the DGA was slightly different: var day = date.getDate(); var month = date.getMonth() + 1; var year = date.getFullYear(); var d = month + '/' + year; var tds_url = 'http://' + md5(d) + '.pro/tds.php?subid=ce'; The same malicious activity was also reported in some fake EU Cookie-Consent alerts [6] (Figure 16). The server involved in those cases, browser-updates[.]info, is the same as the one used in the “Infinity New Tab” case and most likely is an old front for the same backend as redirect2[.]top and loading[.]website. While those details are outside the scope of this blog, it is worth noting that examining these activities allows us to trace them back to @BartBlaze’s post from July 2016 [7]: https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 8 of 14 Figure 16: One of the servers currently used by this group to publish a trapped cookie-consent JavaScript script Figures 17-19 show that this activity is able to generate substantial traffic: Figure 17: Alexa report on browser-update[.]info https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 9 of 14 Figure 18: Similarweb report on searchtab[.]win Figure 19: Alexa report on partner-net[.]men The Phishing Our colleagues at Phishme have already examined the credential phishing that originally allowed the actors to compromise the extensions [3]; the Web Developer extension case was almost identical: Figure 20: Screenshot of the email used to harvest extension coder credentials Conclusion Threat actors continue to look for new ways to drive traffic to affiliate programs [13] and effectively surface malicious advertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions. In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks. Acknowledgements https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 10 of 14 We would like to thank Cloudflare for their immediate action upon notification of malicious activity using their hosting service. We would also like to thank Chris Pederick (author of the Web Developer extension) for sharing data tied to the phishing and how he and the CopyFish author transparently handled the incidents. References [1] https://twitter.com/chrispederick/status/892768218162487300 [2] http://chrispederick.com/blog/web-developer-for-chrome-compromised/ [3] https://phishme.com/even-smart-ones-fall-phishing/ [4] https://www.centbrowser.com/forum/printthread.php?tid=1394&page=2 [5] https://pastebin.com/pHf7EHRG [6] https://forum.joomla.org/viewtopic.php?t=956912 [7] https://bartblaze.blogspot.co.uk/2016/07/eu-cookie-law-and-fake-chrome-extensions.html [8] http://infinitynewtab.com/notice.html [9] https://a9t9.com/blog/chrome-extension-adware/ [10] https://pastebin.com/pHf7EHRG [11] https://gist.github.com/FelixWolf/066fd5ca2672f15089e7712827140bd9 [12] https://www.facebook.com/socialfixer/posts/10155117415829342 [13] https://www.proofpoint.com/us/threat-insight/post/pyramid-schemes-go-high-tech-affiliate-spam-and-malware-affiliates Indicators of Compromise IOCs click.rdr11[.]top|31.186.103.146 chromedevelopment[.]site|31.186.103.147 login.chromeextensions[.]info|31.186.103.149 chromeextensions[.]info|31.186.103.149 wd8a2b7d68f1c7c7f34381dc1a198465b4[.]win|104.131.30.88 https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 11 of 14 wd7bdb20e4d622f6569f3e8503138c859d[.]win|104.131.30.88 loading[.]website|162.255.119.12 searchtab[.]win|104.131.67.58 redirect2[.]top|104.131.67.58 browser-updates[.]info|198.54.117.212 browser-updates[.]info/firebase_subscribe.js imagetwist[.]info|174.138.62.139 https://wd7bdb20e4d622f6569f3e8503138c859d[.]win/ga.js http://searchtab[.]win/ga.js http://redirect2[.]top/ga.js http://partner-net[.]men/code/pid/linkcheck.js?rev=133 https://f.partnerwork[.]men/code/code/index_4.php https://f.partnerwork[.]men/code/code/mss_3.js https://y.partnerwork[.]men/code/code/index_3.php https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 12 of 14 http://partner-net[.]men/code/pid/973820_BNX.js?rev=133 http://partner-net[.]men/code/?pid=973820&r= login.chromedevelopment[.]site|31.186.103.147 y.partnerwork[.]men|185.147.15.35 f.partnerwork[.]men|185.147.15.37 f.partnerwork[.]men|185.147.15.37 partner-net[.]men|95.211.68.187 partner-net[.]men|95.211.68.186 b.partner-net[.]men| http://land.pckeeper[.]software/land/7.13.222/index.php? affid=mzb_251.563088.1501708560.18.mzb&utm_source=prfl&utm_medium=cps&utm_campaign=pck_prfl_cps_ww_713&utm_term=&utm_content http://land.pckeeper[.]software/land/7.13.222/index.php? affid=mzb_281.2294418.1495859377.18.mzb&utm_source=maxb&utm_medium=cps&utm_campaign=pck_maxb_cps_eu2_713&utm_term=&utm_co http://wlp.cleanmypc[.]online/mxbt1/?x-context=496906380&utm_source=mxapcfx5&utm_campaign=mxapcfx5&pxl=MXA2240_MXA2193_RUNT& cookie-policy[.]org|45.55.128.61 cdn2[.]info|45.55.128.61 https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 13 of 14 cdn8[.]info|45.55.128.61 cdn.cookiescript[.]info|52.222.226.223 cdn.front[.]to|162.243.105.107 UA-103045553-1 283599517713 ganalytics[.]win|104.131.30.88 92fffe0ba52da491a2b7576627f3693a[.]pro 7ce508e6099e31f68c2fd50c362f087d[.]pro partner-print[.]men|185.147.15.39 extstat[.]com|185.147.15.39 Source: https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree Page 14 of 14 resulted in hijacking We specifically examined of traffic and exposing the “Web Developer users to potentially malicious 0.4.9” extension compromise, popups and credential theft. but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12] were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June. Analysis On August 12 Chris Pederick reported [1] that his Extension, Web Developer for Chrome, had been compromised (Figure 1). Figure 1: Chris Pederick’s tweet from August 2, 2017 regarding the compromise of his Web Developer for Chrome Extension We retrieved the compromised version and isolated the injected code. Figure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromised Page 1 of 14