AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
This older version primarily differed with the addition of cryptocurrency mining. Based on the dates of upload to the Chrome web store, these represented an earlier version created in April 2017 (the others were created in November 2017). While it communicated to the same set of C&C servers, the implementation and C&C command format differed. In the course of our research, we found that a previous version of Droidclub was still active in the wild. The video below shows the information that the library can acquire. We replaced the Yandex account used by the attackers with our own during testing.įigure 6. The library does not capture passwords by design, so these are not stolen by the threat actors. The combination of the extension and the library can steal data entered into forms such as names, credit card numbers, CVV numbers, email addresses, and phone numbers. Unfortunately, in the hands of an attacker, this tool can be abused and represents a very powerful tool that can breach the user's privacy. This library enables a feature called session replay, which can record various user actions like mouse clicks, scrolling, and keystrokes. Ads within the original site are also replaced with ads chosen by the attacker the code does it by searching for IFRAME sizes that match those used in advertisements.Ī Javascript library from Yandex Metrica is also injected into visited websites on the victim's browser (the original website is not modified). This is a legitimate web analytics library that a site owner can use to evaluate how visitors are using their site. The extension is currently injecting various pieces of Javascript code, one of which modifies these pages by adding external links to certain keywords. ![]() The attacker behind Droidclub may be using this botnet to artificially raise the impressions of certain ads, resulting in increased views and revenue.ĭroidclub can also modify the contents of viewed websites. Currently, this malware is being used to display low-quality advertising (such as those for pornographic sites) and/or exploit kits. The URL and the frequency are both sent as part of the configuration information from the C&C server. Malicious BehaviorA browser infected with Droidclub will periodically pop up a new tab displaying web advertising. The extensions themselves are designed to appear innocent, if slightly nonsensical. This process is repeated every five minutes. The extension, once installed, checks if the C&C server is online, downloads any needed configuration code, and reports back to the C&C server. It then asks the user if they want to go ahead and install the extension, while listing the required privileges of the extension. If people click OK here, the Chrome browser will download the extension from the normal Chrome web store in the background. False Error Messages Used To Install Droidclub Extension Malicious ads would be used to display false error messages asking users to download an extension onto their browser:įigure 2. The diagram below shows the overall behavior of Droidclub:ĭistributionDroidclub is distributed via a combination of malvertising and social engineering. Google has since removed these extensions from the official Chrome web store in addition, the C&C servers have been removed from Cloudflare as well. Based on the pages of these extensions, we estimate that up to 423,992 users have been affected. A total of 89 Droidclub extensions have been found on the official Chrome web store. The attacker gets the user to install these malicious Chrome extensions via a mix of malvertising and social engineering. Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild. These libraries are meant to be used to replay a user's visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things. ![]() These scripts are injected into every website the user visits. In addition to the above features, Droidclub also abuses legitimate session replay libraries to violate the user's privacy. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used. (The malicious extension is detected as BREX_DCBOT.A.) This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. The Trend Micro Cyber Safety Solutions team has discovered a new botnet delivered via Chrome extensions that affect hundreds of thousands of users. Updated on February 6, 2018, 6:10 PM PST with a statement from Yandex. Updated on February 1, 2018, 7:21 AM PST to update the regular expression.
0 Comments
Read More
Leave a Reply. |