Malicious Chrome Extensions Found in Chrome Web Store [source: trendmicro]
by CIRT Team
The Trend Micro Cyber Safety Solutions team has discovered a new botnet delivered via Chrome extensions that affect hundreds of thousands of users. (The malicious extension is detected as BREX_DCBOT.A.) This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used.
In addition to the above features, Droidclub also abuses legitimate session replay libraries to violate the user’s privacy. These scripts are injected into every website the user visits. These libraries are meant to be used to replay a user’s visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things. Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild.
The attacker gets the user to install these malicious Chrome extensions via a mix of malvertising and social engineering. A total of 89 Droidclub extensions have been found on the official Chrome web store. Based on the pages of these extensions, we estimate that up to 423,992 users have been affected. Google has since removed these extensions from the official Chrome web store; in addition, the C&C servers have been removed from Cloudflare as well.
For more, click here.