Security researcher Bryan Campbell discovered a malicious Chrome extension today that is masquerading as the legitimate MinerBlock extension. The legitimate MinerBlock extension is used to block sites that utilize in-browser cryptocurrency mining, while the newly discovered version causes Chrome to repeatedly play videos in the background without your knowledge.

The Chrome Web Store pages for each extension looks different, with the fake one containing Russian text, but with developers being different. The developer for the legitimate MinerBlock is from CryptoMineDev, while the malicious one is listed as from egopastor2016.

As for the extensions themselves, other than the logo and the version number, both extensions look the same and have the same options interface.

Legitimate MinerBlock Extension
Legitimate MinerBlock Extension
Fake MinerBlock Extension
Fake MinerBlock Extension

Functionality is where things change. While the original MinerBlock is designed to block access to known mining sites, the malicious version is used to constantly play videos in the background. 

It is not known for sure why the extension is constantly playing videos in the background, but it could be used for click fraud through the display of advertisements or to artificially increase view counts.

When started, the malicious extension will connect to the site egopastor.biz and retrieve a set of "tasks".  These tasks will determine what options the extension will use and the URLs it should connect to.

You can see an example of the extension connecting to this site and retrieving its configuration below.

Fiddler showing video playback
Fiddler showing video playback

The extension will then begin to connect to the specified URL, which at this time causes videos to be played from various Russian video sites. When a video is played, it will cause the CPU utilization to shoot as high as 100% and then drop back down to 0 when the video has finished playing. You can see an example of this CPU utilization while a video plays below.

CPU Utilization
CPU Utilization

For those who may have this version installed, you can easily remove the extension by right-clicking on its icon and selecting remove.

With it becoming more common for malicious extensions to masquerade as well-known legitimate ones, it is important for all users to be careful when installing extensions. Before installing anything, be sure to read the reviews carefully and make sure the extension you are installing is the correct one.

 

ICOs

Hashes & Pages:

Fake:

Chrome Store Page: https://chrome.google.com/webstore/detail/minerblock-%D0%B1%D0%BB%D0%BE%D0%BA%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B0-%D0%BC%D0%B0%D0%B9/jdkbipcangaabpfffdcffcneenkilajh
Hash: 2c1f5e5a2e3267e4db3018bb3371204aaa38a4780f305be31b64997624f20a85

Legitimate:

Chrome Store Page: https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl

Network Connections:

egopastor.biz

 

Related Articles:

Google Adds New Rules To End Malicious Chrome Extensions

TLS 1.0 and TLS 1.1 Being Retired in 2020 by All Major Browsers

Chrome Extension Devs Use Sneaky Landing Pages after Google Bans Inline Installs

Chrome 69 Keeps Google's Cookies After You Clear Browser Data

Google Experiments With Showing Search Queries in Chrome 71 Address Bar