Google Chrome Extension Malware: cryptocurrency miner

NethServer EveBox: display of Suricata alerts
# grep 136.243.89.87 /var/log/squid/access.log
1506000797.202 30000 192.168.5.60 TAG_NONE/200 0 CONNECT 136.243.89.87:443 - HIER_NONE/- -
1506000797.202 30000 192.168.5.60 TCP_TUNNEL/200 0 CONNECT ws006.coin-hive.com:443 - ORIGINAL_DST/136.243.89.87 -
# grep 136.243.89.87 /var/log/squid/access.log | wc -l
2569
$ netstat -lanp | grep "136.243.89.87"
tcp 0 0 192.168.5.60:55200 136.243.89.87:443 ESTABLISHED 8423/chrome
$ ps aux | grep 8423
alessan+ 8423 8.6 4.1 2995884 326016 ? SLl 09:15 15:40 /opt/google/chrome/chrome
Chrome Web Store extension’s home page
Network activity by Google Chrome developer tools
The percentage of CPU used during cryptocurrency mining
Extension details: generic author / 14.389 installations
{
"background": { "page": "background.html" },
"permissions": [
"tabs",
"webRequest",
"webRequestBlocking",
"http://*/",
"https://*/",
"clipboardWrite",
"storage"
],
...
}
Authorization dialog appears during extension installation
<!doctype html>
<html>
<head>
...
<script type="text/javascript" src="bit.js"></script>
...

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store