There’s a glut of malicious Google Chrome extensions out there, but some are more harmful than others. The one that SANS ISC incident handler Renato Marinho has dubbed “Catch-All” falls in the former category.
A data-stealing Chrome extension
Marinho spotted the extension being pushed onto users via a phishing e-mail with links to photos supposedly sent through WhatsApp. But, instead of the photos, the victims would download a malware dropper file called “whatsapp.exe”.
Once executed, the executable would present a fake Adobe PDF Reader install screen, and if the victim chose the “Install” option, they triggered the download of a .cab file carrying two executables: md0.exe and md1.exe.
Before the malicious extension is installed, the md0 executable tries to disable Windows Firewall, kill all Google Chrome processes, and disable several security features that could prevent the malicious extension from working as intended (such as disabling improved SafeBrowsing download protection).
Once all this is achieved, it extracts the Catch-All extension and changes Google Chrome launcher (“.lnk”) files to load it on the next execution.
Finally, the extension springs into action: it captures data posted by the victim on websites, and sends it to a C&C server using jQuery ajax connections:
“Catch-All” goes after every piece of data the victim posts on any website, including login credentials for all kinds of online services.
As Marinho pointed out, this allows crooks to capture highly sensitive data with minimal effort.
“It wasn’t necessary for the attacker to attract the victim to a fake website with doubtful SSL certificates or deploying local proxies to intercept web connections. Quite the opposite, the user is accessing original and legitimate websites and all the interactions are working properly while data is captured and leaked. In other words, this method may subvert many security layers the victim may have in place,” he noted.