Google Chrome Extension Malware: cryptocurrency miner

Article appeared in The Register and Wired.

With this article I would like to share a real experience of discovering a malware that mines cryptocurrency using the extensions of the most widely used browser in the world: Google Chrome.

It was thursday 21th September 2017, an ordinary work day, when company IDS (Intrusion Detection System) of NethServer warned me of suspicious traffic originated from my pc, through the events web interface:

NethServer EveBox: display of Suricata alerts

The alarm is about a cryptocurrency mining activity. The only useful data is the source ip address 136.243.89.87, because the destination is the corporate one. By doing a squid log analysis I’ve found that my machine is involved with ip address 192.168.5.60 for thousand times:

# grep 136.243.89.87 /var/log/squid/access.log
1506000797.202  30000 192.168.5.60 TAG_NONE/200 0 CONNECT 136.243.89.87:443 - HIER_NONE/- -
1506000797.202  30000 192.168.5.60 TCP_TUNNEL/200 0 CONNECT ws006.coin-hive.com:443 - ORIGINAL_DST/136.243.89.87 -
# grep 136.243.89.87 /var/log/squid/access.log | wc -l
2569

Doing an analysis of my machine I’ve found that the process involved in suspected ip connections is google chrome:

$ netstat -lanp | grep "136.243.89.87"
tcp 0 0 192.168.5.60:55200 136.243.89.87:443 ESTABLISHED 8423/chrome
$ ps aux | grep 8423
alessan+ 8423 8.6 4.1 2995884 326016 ? SLl 09:15 15:40 /opt/google/chrome/chrome

and more specifically is the “Short URL (goo.gl)” extension, whose name is self-explanatory.

Chrome Web Store extension’s home page

The Chrome Web Store extension’s homepage says that it has 14,390 installations, which are machines available to do the mining.

Using chrome developer tools, you can see that every ten seconds the extension downloads a file called cryptonight.wasm:

Network activity by Google Chrome developer tools

and at the download the cpu usage rises to 95%.

The percentage of CPU used during cryptocurrency mining

The type of the file is WebAssembly, so it is extremely efficient.

Cryptonight is a proof-of-work algorithm for mining cryptocurrency through CPU utilization, so the triggered IDS alert is correct. Moreover, the involved cryptocurrency is Monero because the file is downloaded from the coinhive.com domain, which is an online platform to mining the cited cryptocurrency.

The online platform offers all the needed tools to any registered user.

To remove any doubts that my installation could be tampered, I tried to install the extension to a new Chrome instance. Unfortunately I got the same result, so we can conclude that it was intentionally designed.

The web page of the extension within the Chrome Web Store does not contain any indication about the author, but only the term “offered by ChromeApps”.

Extension details: generic author / 14.389 installations

At this point I decided to analyze the extension details in order to understand the behaviour and try to get some more information about its origins.

Extension analysis

Each extension have a file named manifest.json which contains some information:

{
  "background": { "page": "background.html" },
  "permissions": [
    "tabs",
    "webRequest",
    "webRequestBlocking",
    "http://*/",
    "https://*/",
    "clipboardWrite",
    "storage"
  ],
  ...
}

Unfortunately, information about the author is missing, while the requested permissions display the following dialog during the Chrome installation:

Authorization dialog appears during extension installation

The notice does not cause any particular concerns because it must be able to access the visited url to generate the corresponding abbreviated addresses and then copy them directly into the clipboard.

By inspecting the background page (background.html) that is executed at startup, we can see that it loads the bit.js file:

<!doctype html>
<html>
<head>
  ...
  <script type="text/javascript" src="bit.js"></script>
  ...

and it’s this file that just contains both the malware logic and the library offered by the platform.

Conclusions

The spread of malware through Chrome extensions seems to be an increasingly widespread problem as well as cryptocurrency mining through any web page. Recent articles report similar issues such as wired.it (on October 10th 2017) and Maxime Kjaer (on July 18th 2016).

The goal of the creators was to offer a simple service to get shortened urls, while underneath allowing them to earn monero.

After two weeks of my reporting, the extension has been removed from the Chrome Web Store, and we can only imagine how much money the creators earned.