Rewterz Threat Alert – Three Malicious VPN Chrome Extensions Downloaded 1.5 Million Times – Active IOCs

Severity

High

Analysis Summary

Researchers have discovered three fake Chrome extensions that pretend to be VPN (Virtual Private Networks) were force-installed 1.5 million times and are used as browser hijackers, data stealers, and cashback hacking tools. They are distributed through torrent sites as a hidden installer in pirated copies of popular video games such as Assassin’s Creed, Grand Theft Auto, and The Sims 4.

Google has been notified of these findings and removed the malicious extensions from the Chrome Web Store, but the extensions already had 1.5 million downloads before their removal. These extensions were named netPlus, netSave, and netWin. Most of the impacted users are from Ukraine, Russia, Belarus, and Kazakhstan, showing that the campaign targets mainly Russian-speaking victims.

The security researchers found more than a thousand different torrent files that deliver the malicious installer file and discovered that it is a small app of 60MB and 100MB in size. The VPN extensions are installed automatically and by force, which takes place on the registry level and doesn’t involve the user or ask for any action. The installer does a check for antivirus solutions running on the compromised device, then drops netSave on Google Chrome and netPlus on Microsoft Edge.

The fake extensions utilize a VPN user interface that appears legitimate with some functionality and a paid subscription option to trick the victims into believing that it’s real. Analyzing the code shows that the extension can access tabs, proxy, storage, webRequest, declarativeNetRequest, webRequestBlocking, scripting, cookies, alarms, management, offscreen, and activeTab.

The exploitation of the ‘offscreen’ permission allows the malware to run scripts using the Offscreen API and secretly interact with the web page’s current Document Object Model (DOM). This access to DOM can be leveraged by the extensions to steal sensitive user information, manipulate web requests, perform browsing hijacks, and disable other extensions installed on the browser. Another functionality that the extension features is disabling other coupon and cashback extensions to eliminate competition on the compromised system and redirect all profits to the threat actors.

The malware targets more than a hundred cashback extensions like AVG SafePrice, Avast SafePrice, Honey: Automatic Coupons & Rewards, Megabonus, LetyShops, AliRadar Shopping Assistant, ChinaHelper, Backlit, and Yandex.Market Adviser. The three malicious extensions communicate with the command-and-control (C2) servers to exchange data like instructions and commands, exfiltrate sensitive data, ID the victim, and more. This campaign underlines massive security issues surrounding web browser extensions that are mostly very hard to detect and determine what behavior they show.

Impact

• Unauthorized Access
• Sensitive Information Theft

Indicators of Compromise

MD5

• 0f220acacaad97956ba1730b06b0513b
• 645553fa44867521d09d461e276b11eb
• e0653144b8399c849a77c2d13508d667
• adaf67439743ea0a99f65e6aa9f971f4
• 893adc177cd0b965c231da68e6380b0a
• d8e511a1a6a984b05de1dbc7d8b0ec66

SHA-256

• eb517e09a773908f99243a966e9a37f0e0ff1378faefbfcca81b00e383fd4c54
• 0c80bac1d62689f26aedf6c56929a34c6f0cac4ce368c99e25e509a382910442
• f7fef538bae1d76f986cc42c53be6871fbc3261608347f31ce44007ba19605c8
• e8b9a6112db664a4d646eecc356a9e6b8357cc23188d9a2e9264f87c3f5cb0fa
• 55bedea8ea1011f958f1eb9b5ae033840bf8917f8bf44b4fb6773c400e8459aa
• e42bfaaeaa0ab1b12d62c31bdf1476a665639e8964d854efb8bd227fe94ccb36

SHA-1

• 32d3e031ca2d98f7719f1a4cee95b2d0fc846b8b
• 87d4f3c815154b963bf84395e543ba57ee1b99d9
• 5cf0bfd320bb3c5780a8aecc8463702858613e70
• b0cd0092a504e281ed1591ea8554ede3829a9470
• b260c92a915abe887a8d37ff1528ca3dcacd78c9
• 9a893571b726f3305d5b7207317169e1976d11a2

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Keep all software, including operating systems and applications, up to date with the latest security patches and updates.
• Regularly back up critical data and systems, and store backups offline.
• Employ network segmentation to isolate critical systems and limit lateral movement by attackers in case of a breach.
• Deploy strong endpoint security solutions that can detect and respond to malicious activities on devices within the network.
• Implement the principle of least privilege to limit user and system access to only what is necessary for their roles, reducing the impact of a breach.
• Implement MFA for access to critical systems and accounts to enhance security.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Regularly check the extensions installed in your browser and check for new reviews in the Chrome Web Store to see if others are reporting malicious behavior.