The “Colombia Weather Live” extension appeared on multiple browsers, including Google Chrome and Mozilla Firefox, and was downloaded by more than 10,000 users. In the video, we talked about the main actions of the attack: use those browsers to perform actions on YouTube in the background, and prevent users from taking actions to remove the malicious extension from their computer.
Let’s look at how the extension is able to do this.
When we unpack the extension, the first thing we see is that it requires unusual permissions from the user, such access to storage, tabs, and all URLs, which allow the code to know exactly what sites a user is accessing. These are the two files that are responsible for setting off the infection:
When the code is loaded, it makes a request to retrieve the main Payload – a file that is completely encrypted, as one would expect. However, with some modifications, we were able to decrypt the script and retrieve the actual code.
It is clear that the code was built strategically – the developer even included “Development” and “Production” configurations:
Moving ahead in the code, we find the starting point. It calls four separate functions, but we’re only going to focus on two:
This function adds a listener into browser tabs, essentially checking everything that a user attempts to access, and blocking certain activities based on specific URLs and keywords.
This is the part of the code that makes the extension highly difficult to remove. It blocks access to “chrome://extensions” as well as any searches related to anti-virus solutions, preventing users from finding information on how to remove the threat.
This function initializes some variables and calls the init, which in turn downloads an encrypted JSON that contains instructions for the actions that the script will take.
When we decrypt the downloaded file, we can see the three data variables that each action contains:
- _id: Action identifier, used in the activity log for control;
- type: Type of the action;
- data: Data required to perform the action.
This large list will be used for the “handleActionsType” function, which calls for the different types of actions:
In this version of the extension, there are calls for these actions:
- YouTube video rate;
- YouTube channel subscribe;
- YouTube comment rate up;
- YouTube video watch.
The code in this extension is not currently written to cause any lasting harm to users. However, the code was written to be versatile and adaptable, meaning that it would be possible to change its functions without too much extra effort. This is dangerous, as it could be programmed to perform acts such as redirection to phishing sites, credential harvesting, and more. The consequences of a malicious extension with those abilities would be much more severe – compromise of sensitive data, financial loss, and reputational damage to companies being impersonated by fake, malicious extensions, just to name a few.
It is important for organizations to take steps to protect their brand online. The Google Play Store took 3 weeks to recognize “Colombian Weather Live” as a malicious extension, and it was downloaded by many users during that time. If your organization is targeted by a malicious extension, it could be you and users, and your reputation, at risk.