Cybersecurity researchers at Avast have recently reported a huge campaign comprised of dozens of malicious Chrome and Edge browser extensions along with more than three million installations in whole.
This campaign has collectively termed “CacheFlow” by Avast; it has 28 extensions available in official Google and Microsoft repositories exposed themselves in such a way so that they can easily download pictures, videos, or any other content from sites.
All these contents included sites like Facebook, Instagram, Vimeo, and Spotify. Moreover, the hackers have also accumulated user’s birth dates, email addresses, and some other device information and redirected the clicks and search results to ill-disposed sites.
The researchers affirmed that the cached flow was striking in such a way that the malicious extensions would attempt to hide all their command and control traffic in a covert channel by utilizing the Cache-Control HTTP header of their analytics requests.
The hackers used some sneaky trick to disguise its true intention, that’s why they leverage the Cache-Control HTTP header as a covert channel simply to recover commands from an attacker-controlled server.
The payload and Injected script
The Payload generally checks whether the developer tools are open or not. However, Payload starts out by testing if it can make usage of eval and localStorage.
In case if those two were not working correctly, CacheFlow would not be capable of delivering most of its malicious functionality. Moreover, if the developer’s tools were opened, then it deactivates itself in an attempt to avoid detection.
The experts asserted that the injected script performs mainly two pieces of functionality. The initial one is regarding hijacking clicks, and the second functionality deals with search engine results.
Link hijacking and modification of search results
The link hijacking is achieved by registering an on-click listener above the whole document. After that, the listener is only interested in the leading button presses and simply clicks on elements along with the tag name a or area.
In case the click satisfies all the criteria, an XHR appeal to https://orgun.johnoil[.]com/link/ is sent.
While the second functionality is implemented only if the victim is currently on a Google, Bing, or Yahoo search page, and the way this is executed, it modifies the search results based on the search engine.
That’s why the experts are still investigating this cache flow; and, here we have provided all the technical details regarding the CacheFlow. Well, it is a huge network of malicious browser extensions that affected millions of users worldwide.
Apart from this, it’s very notable that how these malicious extensions were hijacking their victims’ clicks and modifying their search engine results. All the methods that the hackers are using were quite challenging, and they were well capable of hiding itself.