Hackers Abusing Google Chrome Extension to Exfiltrating Data & Using That Channel for C&C Communication

Recently, an IT cybersecurity researcher, Bojan Zdrnja, has published its research exposing that the threat actors are using Google Chrome’s Sync feature for Command and Control communication by exfiltrating data.

However, Zdrnja declares that the threat actors used compelling features to exploit the Chrome browser. As Google Chrome’s Sync feature could be exploited by several hackers to accumulate information from negotiated computers using maliciously-crafted Chrome browser extensions.

Evades Chrome Web Store Security Checks

All the malicious Chrome extensions are quite common for Chrome, and Google always removes hundreds of them each year from the Chrome Web Store, but this vulnerability was special remain hidden due to the way it was deployed.

SIEM as a Service

Once the extension gets installed, then it dropped a background script that was designed to check for oauth_token keys in Chrome’s storage which would then get automatically synced to the user’s Google cloud storage.

According to the researcher, the attacker would only have to log into that same Google account on another system that is running the Chrome browser as the third-party Chromium-based browsers are not authorized to use the private Google Chrome Sync API.

How did it happen?

It’s common that now and then the threat actors drop malicious extensions on the same store, and then Google extracts various suspicious extensions every day. But this extensions is different from others as the threat actor uses different channel in this scenario.

This malicious extension was misrepresented as “Forcepoint Endpoint Chrome Extension for Windows.” In this scenario, the threat actors copy the name and the logo of Forcepoint to execute the extension seem legitimate. 

The keys to the kingdom

Zdrnja affirmed that the threat actors wanted to extend their access, they actually limited all their activities on this workstation to those that are associated to web applications, which describes why they dropped only the malicious Chrome extension, and not any other binaries.

However, the threat actor concentrated the attack on managing the web app data and didn’t endeavour to prolong their malicious activity to the underlying system.

How to be safe?

The solution that has been suggested by Zdrnja is to apply for Chrome’s enterprise features and group policy support. This feature will enable only safe extensions installed on the browser conserving the users from an infected one.

So, blocking the malicious extension from exfiltrating data would need blocking servers that are used by Google for several legitimate purposes.

That’s why to block the attackers abusing Google Chrome’s Sync API for harvesting and exfiltrating data from the corporate surrounding, Zdrnja suggested group policies to build a list of recommended Chrome extensions and block all others who haven’t been checked for red flags.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.