[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Malicious Chrome Extensions
From: "Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc ! usda ! gov>
Date: 2016-08-25 6:26:11
Message-ID: 7bd51f1bda9b48a38fbece62b4f84da0 () CY1PR0201MB022 ! 001f ! mgd2 ! msft ! net
[Download RAW message or body]
I just wanted to follow up...
The published rule has already caught another malicious extension from a different \
domain that I included in the original text file of suspected domains, so it appears \
my suspicious were correct. That said, I still have little information. We have \
identified 3 infected hosts, but were only able to retrieve the extensions list on \
one of the machines. Once the extensions were cleared, the traffic stopped. That \
said, I haven't identified the malicious extension.
Installed Extensions on Infected Host:
- Amazon Assistant for Chrome
- Ambient Aura
- Chromarks - Chrome Bookmarks Menu
- Extensions Manager (aka Switcher)
- Fair AdBlock (by STANDS)
- Fair Adblock App (by STANDS)
- Fair Ads (by STANDS)
- Google Cast
- Google Chrome to Phone Extension [DEPRECATED]
- Google Contacts Launcher
- Google Docs Offline
I haven't found anything malicious on these when researching them, but your move may \
vary. Deleting them all stopped the malicious traffic.
Regards,
Carraig Stanwyck
USDA | OCIO | ASOC
From: Stanwyck, Carraig - ASOC - Kansas City, MO \
[mailto:Carraig.Stanwyck@asoc.usda.gov]
Sent: Friday, August 05, 2016 7:32 AM
To: emerging-sigs@lists.emergingthreats.net; snort-sigs@lists.sourceforge.net
Cc: Clemons, Matt - OCIO-ASOC, Kansas City, MO <matt.clemons@asoc.usda.gov>
Subject: [Snort-sigs] Malicious Chrome Extensions
Good Morning,
I have identified what I am almost certain is traffic from malicious chrome extension \
infections on our network. The IOC in my case is hxxp://brainlog.top, which has the \
same registrar (VIACHESLAV ZINKEVICH) as 100+ other suspicious domains (attached), \
including 4chan-plus.com, which has a reddit PSA \
(https://www.reddit.com/r/chrome/comments/4caqdv/psa_remove_4chan_plus_its_inserting_malware_into/) \
for the same activity we're seeing here.
Proposed rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious \
Chrome Extension"; flow:established,to_server; content:"page?url="; http_uri; \
fast_pattern; content:"user"; http_uri; content:"iframe="; http_uri; \
content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:123456; rev:1; )
It'd be pretty easy to add some pcre into it if necessary, the patterns are \
consistent.
Example URIs (2 separate infections, delineated by the string following "user"):
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.groupon.com/deals/k-f-custom-car-detailing&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerch.com/&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerchstore.com/&iframe=
/user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.full30.com/&iframe=
/user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.google.com/&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://l.instagram.com/?e=ATNv0 \
z315R1OmkaGMEZAoaq-DKaekIneFy9u3I5gbf9ileNm211AFFAd&u=http%3A%2F%2Fwww.mixcloud.com%2Fdjhomeschool&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://money.cnn.com/2016/08/02/news/economy/donald-trump-hillary-clinton-facebook/index.html&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://www.cnn.com/2016/08/03/europe/leopard-cubs-twycross/index.html&iframe=
Thanks,
Carraig Stanwyck
USDA | OCIO | ASOC
@C4RR41G
This electronic message contains information generated by the USDA solely for the \
intended recipients. Any unauthorized interception of this message or the use or \
disclosure of the information it contains may violate the law and subject the \
violator to civil or criminal penalties. If you believe you have received this \
message in error, please notify the sender and delete the email immediately.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1694065836;
mso-list-type:hybrid;
mso-list-template-ids:1807908968 -1899097870 67698691 67698693 67698689 67698691 \
67698693 67698689 67698691 67698693;} @list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I just wanted to follow \
up…<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">The published rule has already caught another malicious \
extension from a different domain that I included in the original text file of \
suspected domains, so it appears my suspicious were correct. That said, I \
still have little information. We have identified 3 infected hosts, but were \
only able to retrieve the extensions list on one of the machines. Once the \
extensions were cleared, the traffic stopped. That said, I haven’t \
identified the malicious extension.<br> <br>
Installed Extensions on Infected Host:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if \
!supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">-<span \
style="font:7.0pt "Times New \
Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Amazon Assistant for \
Chrome<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Ambient \
Aura<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Chromarks - Chrome \
Bookmarks Menu<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Extensions Manager (aka \
Switcher)<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Fair AdBlock (by \
STANDS)<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Fair Adblock App (by \
STANDS)<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Fair Ads (by \
STANDS)<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Google \
Cast<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Google Chrome to Phone \
Extension [DEPRECATED]<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Google Contacts \
Launcher<o:p></o:p></span></p> <p class="MsoListParagraph" \
style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span \
style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt \
"Times New Roman""> \
</span></span></span><![endif]><span style="color:#1F497D">Google Docs \
Offline<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">I haven’t found anything malicious on these when \
researching them, but your move may vary. Deleting them all stopped the \
malicious traffic.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D">Regards,<o:p></o:p></span></p> <p class="MsoNormal"><b><span \
style="font-size:12.0pt;color:#1F497D">Carraig Stanwyck<o:p></o:p></span></b></p> <p \
class="MsoNormal"><span style="color:#1F497D">USDA | OCIO | \
ASOC<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="color:#1F497D"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Stanwyck, Carraig - ASOC - Kansas City, MO \
[mailto:Carraig.Stanwyck@asoc.usda.gov] <br>
<b>Sent:</b> Friday, August 05, 2016 7:32 AM<br>
<b>To:</b> emerging-sigs@lists.emergingthreats.net; \
snort-sigs@lists.sourceforge.net<br> <b>Cc:</b> Clemons, Matt - OCIO-ASOC, Kansas \
City, MO <matt.clemons@asoc.usda.gov><br> <b>Subject:</b> [Snort-sigs] \
Malicious Chrome Extensions<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good Morning,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have identified what I am almost certain is traffic from \
malicious chrome extension infections on our network. The IOC in my case is \
hxxp://brainlog.top, which has the same registrar (VIACHESLAV ZINKEVICH) as 100+ \
other suspicious domains (attached), including 4chan-plus.com, which has a reddit \
PSA (<a href="https://www.reddit.com/r/chrome/comments/4caqdv/psa_remove_4chan_plus_it \
s_inserting_malware_into/">https://www.reddit.com/r/chrome/comments/4caqdv/psa_remove_4chan_plus_its_inserting_malware_into/</a>)
for the same activity we’re seeing here. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Proposed rule:<o:p></o:p></p>
<p class="MsoNormal">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg:"ET MALWARE Malicious Chrome Extension"; flow:established,to_server; \
content:"page?url="; http_uri; fast_pattern; content:"user"; \
http_uri; content:"iframe="; http_uri; content:!"Referer|3a|"; \
http_header; classtype:trojan-activity; sid:123456; rev:1; )<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">It’d be pretty \
easy to add some pcre into it if necessary, the patterns are \
consistent.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Example URIs (2 separate infections, delineated by the string \
following “user”):<o:p></o:p></p> <p \
class="MsoNormal">/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.g \
roupon.com/deals/k-f-custom-car-detailing&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://ww \
w.indiemerch.com/&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerchstore.com/&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www \
.full30.com/&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www \
.google.com/&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://l.i \
nstagram.com/?e=ATNv0z315R1OmkaGMEZAoaq-DKaekIneFy9u3I5gbf9ileNm211AFFAd&u=http%3A \
%2F%2Fwww.mixcloud.com%2Fdjhomeschool&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://mon \
ey.cnn.com/2016/08/02/news/economy/donald-trump-hillary-clinton-facebook/index.html&iframe=
<o:p></o:p></p>
<p class="MsoNormal">/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://www \
.cnn.com/2016/08/03/europe/leopard-cubs-twycross/index.html&iframe=<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:12.0pt">Carraig \
Stanwyck<o:p></o:p></span></b></p> <p class="MsoNormal">USDA | OCIO | \
ASOC<o:p></o:p></p> <p class="MsoNormal">@C4RR41G<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New \
Roman",serif"><br> <br>
<br>
<br>
This electronic message contains information generated by the USDA solely for the \
intended recipients. Any unauthorized interception of this message or the use or \
disclosure of the information it contains may violate the law and subject the \
violator to civil or criminal penalties. If you believe you have received this \
message in error, please notify the sender and delete the email immediately. \
<o:p></o:p></span></p> </div>
</body>
</html>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
--===============3491717364285125848==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic