Home

Published

- 2 min read

Let's Defend - Malicious Chrome Extension

DFIR writeup Digital Forensics Lets defend Logs Windows Disk Image
img of Let's Defend - Malicious Chrome Extension

Description

The victim found out their private info was out there for everyone to see, and things got worse – the bad guys got into their money stuff, social media, and personal emails. We got an image of his machine so you can tell us what happened.

Tools

Tools Required
1- FTKimger
2- Notepad++
3- DB Browser for SQLite

Writeup

From the challenge description, we can see that the victim’s PII was stolen. Going around, we can’t see anything except the Google Chrome artifacts path Users\Administrator\AppData\Local\Google\Chrome\User Data\Default , Checking the history file there, we can see that the victim was trying to download an extension for Netflix to watch with other people in the same time.

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image9.png

From here, we can go see the extensions that are installed on the browser and see if any of them are malicious.

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image1.png

We have multiple extensions, if you search Google with these IDs, one of them, ”mmnbenehknklpbendgmgngeaignppnbe” will pop up a lot of results about how malicious this extension is. Another way of finding the malicious extension is to go through everyone of those and try to see any indicators of malicious activity.

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image10.png

For the name of the malicious extension, we can go to manifest.json

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image8.png

The name supposed to be here, but the code just referencing it in another file with the field name “MSG_extName_” We can see where it reflects with this command

grep -r -i “extName” Find mmnbenehknklpbendgmgngeaignppnbe/

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image4.png

We can see it reflected in messages. json, going there, we can see the full name of the extension

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image6.png

How many people were affected by this extension?

For this question just a quick google search with the extension id

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image11.png

First result shows that 800,000 downloaded that extension

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image3.png

For the next three questions, we have to examine the malicious code itself, which is located in b0.js

The attacker’s domain name located in the event listener here, a1l4m.000webhostapp.com

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image13.png

And The full URL used to exfiltrate the data exists here /chrome/TrackData/

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image7.png

The function that gets the location of the victim, you can determine it when u see this website in the code which is just responsible for getting your IP, city and zip code

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image2.png

What data does this extension steal exactly?

You can the see the public analysis of this extension on the blog we have seen earlier from the search, or you can just anaylze the code and understand the flow of how the attacker exfiltrate the data

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image5.png

../../assets/images/DFIR/letsdefend/Malicious-Chrome-Extension/image12.png