Google Chrome Extension Malware: cryptocurrency miner

Article appeared in The Register and Wired.

With this article I would like to share a real experience of discovering a malware that mines cryptocurrency using the extensions of the most widely used browser in the world: Google Chrome.

Image for post
Image for post

It was thursday 21th September 2017, an ordinary work day, when company IDS (Intrusion Detection System) of NethServer warned me of suspicious traffic originated from my pc, through the events web interface:

Image for post
Image for post
NethServer EveBox: display of Suricata alerts

The alarm is about a cryptocurrency mining activity. The only useful data is the source ip address 136.243.89.87, because the destination is the corporate one. By doing a squid log analysis I’ve found that my machine is involved with ip address 192.168.5.60 for thousand times:

# grep 136.243.89.87 /var/log/squid/access.log
1506000797.202 30000 192.168.5.60 TAG_NONE/200 0 CONNECT 136.243.89.87:443 - HIER_NONE/- -
1506000797.202 30000 192.168.5.60 TCP_TUNNEL/200 0 CONNECT ws006.coin-hive.com:443 - ORIGINAL_DST/136.243.89.87 -
# grep 136.243.89.87 /var/log/squid/access.log | wc -l
2569

Doing an analysis of my machine I’ve found that the process involved in suspected ip connections is google chrome:

$ netstat -lanp | grep "136.243.89.87"
tcp 0 0 192.168.5.60:55200 136.243.89.87:443 ESTABLISHED 8423/chrome
$ ps aux | grep 8423
alessan+ 8423 8.6 4.1 2995884 326016 ? SLl 09:15 15:40 /opt/google/chrome/chrome

and more specifically is the “Short URL (goo.gl)” extension, whose name is self-explanatory.

Image for post
Image for post
Chrome Web Store extension’s home page

The Chrome Web Store extension’s homepage says that it has 14,390 installations, which are machines available to do the mining.

Using chrome developer tools, you can see that every ten seconds the extension downloads a file called cryptonight.wasm:

Image for post
Image for post
Network activity by Google Chrome developer tools

and at the download the cpu usage rises to 95%.

The percentage of CPU used during cryptocurrency mining

The type of the file is WebAssembly, so it is extremely efficient.

Cryptonight is a proof-of-work algorithm for mining cryptocurrency through CPU utilization, so the triggered IDS alert is correct. Moreover, the involved cryptocurrency is Monero because the file is downloaded from the coinhive.com domain, which is an online platform to mining the cited cryptocurrency.

The online platform offers all the needed tools to any registered user.

To remove any doubts that my installation could be tampered, I tried to install the extension to a new Chrome instance. Unfortunately I got the same result, so we can conclude that it was intentionally designed.

The web page of the extension within the Chrome Web Store does not contain any indication about the author, but only the term “offered by ChromeApps”.

Image for post
Image for post
Extension details: generic author / 14.389 installations

At this point I decided to analyze the extension details in order to understand the behaviour and try to get some more information about its origins.

Extension analysis

Each extension have a file named manifest.json which contains some information:

{
"background": { "page": "background.html" },
"permissions": [
"tabs",
"webRequest",
"webRequestBlocking",
"http://*/",
"https://*/",
"clipboardWrite",
"storage"
],
...
}

Unfortunately, information about the author is missing, while the requested permissions display the following dialog during the Chrome installation:

Image for post
Image for post
Authorization dialog appears during extension installation

The notice does not cause any particular concerns because it must be able to access the visited url to generate the corresponding abbreviated addresses and then copy them directly into the clipboard.

By inspecting the background page (background.html) that is executed at startup, we can see that it loads the bit.js file:

<!doctype html>
<html>
<head>
...
<script type="text/javascript" src="bit.js"></script>
...

and it’s this file that just contains both the malware logic and the library offered by the platform.

Conclusions

The spread of malware through Chrome extensions seems to be an increasingly widespread problem as well as cryptocurrency mining through any web page. Recent articles report similar issues such as wired.it (on October 10th 2017) and Maxime Kjaer (on July 18th 2016).

The goal of the creators was to offer a simple service to get shortened urls, while underneath allowing them to earn monero.

After two weeks of my reporting, the extension has been removed from the Chrome Web Store, and we can only imagine how much money the creators earned.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store