Cybercriminals have been using a novel approach to exfiltrate data that involves directly injecting malicious Google Chrome extensions onto victims’ Windows machines via the abuse of Google’s cloud synching function.
The goal of the recently-identified campaign is to manipulate data in internal web applications that the victims have access to, according to an analysis.
According to Bojan Zdrnja, writing for the SANS Institute, attackers are directly planting malicious extensions on the targets’ computers, rather than uploading them to the Chrome Web Store and waiting for victims to download them.
The malicious add-on is disguised as a “Forcepoint Endpoint Chrome Extension for Windows,” with the attackers using the security company’s logo to enhance an air of legitimacy.
The threat actors “dropped the extension locally in a folder and loaded it directly from Chrome on a compromised workstation,” explained Zdrnja, in an analysis late last week. “This is actually a legitimate function in Chrome – you can access it by going to More Tools -> Extensions and enabling Developer mode, after which you can load any extensions locally, directly from a folder by clicking on ‘Load unpacked.'”
The analysis doesn’t detail how the initial compromise was carried out. However, when it comes to the attack goal, “they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” the researcher explained. “That being said, it also makes sense – almost everything is managed through a web application today, be it your internal CRM, document management system, access rights management system or something else.”
How to Create a Malicious Google Chrome Extension
For all Chrome extensions, configuration parameters are stored in a file named manifest.json. In the case of the faux Forcepoint extension, three specific malicious functions stood out to Zdrnja.
“can be used by an attacker to add arbitrary code to target web pages (think about changing content and stealing data),” the researcher noted.
Next, a permissions parameter specified that the extension can use the storage API.
“This is where the attacker had their exfiltration and command-and-control features embedded,” he added. “Background files are extremely powerful and allow a script to receive a message (and send it) in background (as the name says).”
‘Chats’ with Legit Extensions to Steal Data
The authors of the malicious Forcepoint add-on were able to steal information from users’ internal extensions thanks to setting up a behind-the-scenes “chat” between the malicious extension and other web apps.
A function called “chrome.runtime.onConnectExternal.addListener,” is provided by the Chrome browser to extensions. As its name suggests, it listens for when a connection to the browser is made from another extension. Meanwhile, a port object called “port.onMessage.addListener,” is employed, which allows for two-way communication between the extensions.
The extension then steals credentials – mail and oAuth tokens – from the victim’s machine.
“There is a switch that checks the value of parameter type in the received message,” according to the analysis. “Now an interesting thing happens: if the value of the type parameter is ‘check_oauth_token_status,’ the extension will verify if there is a key called ‘oauth_token’ in Chrome’s storage. If it is there, it will send back (to the other extension) a message containing the value of the token with the status set to true, after which it will be deleted from Chrome’s storage.”
If the value of the type parameter is “save_mailhighlight_token,” the malicious extension will create a new key in Chrome’s storage called email, which will be saved in Chrome’s storage.
The extension also uses the “chrome.storage.sync.get” and “chrome.storage.sync.save” methods, so that all these values will be automatically synced to Google’s cloud by Chrome, under the context of the user being logged in in Chrome. This provides an unusual exfiltration method.
“In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure,” Zdrnja explained.
A Novel Type of Cyberattack
Attackers can use this approach for exfiltrating data as well as C2 communications.
“While there are some limitations on size of data and amount of requests, this is actually perfect for C2 commands (which are generally small), or for stealing small, but sensitive data – such as authentication tokens,” according to the researcher. “It will be slow because Chrome and Google throttle requests, allowing us to transfer 4 MB at a time.”
Overall, the attack is unusual and novel, he added: “there were also some things that I saw for the first time, which is why I think this particular exploitation is novel.”
To protect their environments, admins should make sure that Chrome extensions are controlled, according to Zdrnja.
“Google allows you to do that through group policies so you can define exactly which extensions are allowed/approved and block everything else,” he said.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!