There is a new Google Chrome extension available that has the potential to be very harmful, a researcher said.
Called “catch-all,” SANS ISC incident handler Renato Marinho found the extension going out to potential victims via a phishing email with links to photos supposedly sent through WhatsApp. Instead of the photos, however, the victims would download a malware dropper file called “whatsapp.exe”.
Once executed, the application would show a fake Adobe PDF Reader install screen, and if the victim chose the “Install” option, they triggered the download of a .cab file carrying two executables: md0.exe and md1.exe.
One catch is before the malicious extension ends up installed, the md0 executable attempts to disable Windows Firewall, kill all Google Chrome processes, and disable several security features that could prevent the malicious extension from working.
Once all this is achieved, it extracts the catch-all extension and changes Google Chrome launcher (“.lnk”) files to load it on the next execution.
That is when the extension culls data posted by the victim on websites, and sends it to a C&C server.
“Catch-All” attempts to retrieve every piece of data the victim posts on any website, including login credentials for all kinds of online services, the researcher said.
This move allows the bad guys to cultivate sensitive data with minimal effort, Marinho said.
“It wasn’t necessary for the attacker to attract the victim to a fake website with doubtful SSL certificates or deploying local proxies to intercept web connections. Quite the opposite, the user is accessing original and legitimate websites and all the interactions are working properly while data is captured and leaked. In other words, this method may subvert many security layers the victim may have in place,” Marinho said in a post.
“It sounds strange to me Google Chrome (would allow) extensions access (to) sensitive form fields, like passwords, without asking for an additional user’s approval, as well as allowing an extension to silently and autonomously stablish a connection to an external entity,” he said. “Additionally, browser security features that could protect user from harmful extensions can be disabled through command line arguments as in this case.”