- #Trend micro chrome extension install#
- #Trend micro chrome extension update#
- #Trend micro chrome extension code#
The attacker behind Droidclub may be using this botnet to artificially raise the impressions of certain ads, resulting in increased views and revenue.ĭroidclub can also modify the contents of viewed websites. Currently, this malware is being used to display low-quality advertising (such as those for pornographic sites) and/or exploit kits.
The URL and the frequency are both sent as part of the configuration information from the C&C server. Malicious BehaviorA browser infected with Droidclub will periodically pop up a new tab displaying web advertising. The extensions themselves are designed to appear innocent, if slightly nonsensical. This process is repeated every five minutes. The extension, once installed, checks if the C&C server is online, downloads any needed configuration code, and reports back to the C&C server.
#Trend micro chrome extension install#
It then asks the user if they want to go ahead and install the extension, while listing the required privileges of the extension. If people click OK here, the Chrome browser will download the extension from the normal Chrome web store in the background. False Error Messages Used To Install Droidclub Extension Malicious ads would be used to display false error messages asking users to download an extension onto their browser:įigure 2. The diagram below shows the overall behavior of Droidclub:ĭistributionDroidclub is distributed via a combination of malvertising and social engineering.
Google has since removed these extensions from the official Chrome web store in addition, the C&C servers have been removed from Cloudflare as well. Based on the pages of these extensions, we estimate that up to 423,992 users have been affected. A total of 89 Droidclub extensions have been found on the official Chrome web store. The attacker gets the user to install these malicious Chrome extensions via a mix of malvertising and social engineering. Other researchers have raised the possibility that these libraries could be abused, but this is the first time we have seen this in the wild. These libraries are meant to be used to replay a user's visit to a website, so that the site owner can see what the user saw, and what he entered into the machine, among other things. These scripts are injected into every website the user visits. In addition to the above features, Droidclub also abuses legitimate session replay libraries to violate the user's privacy. We have dubbed this particular botnet Droidclub, after the name of one of the oldest command-and-control (C&C) domains used.
#Trend micro chrome extension code#
(The malicious extension is detected as BREX_DCBOT.A.) This botnet was used to inject ads and cryptocurrency mining code into websites the victim would visit. The Trend Micro Cyber Safety Solutions team has discovered a new botnet delivered via Chrome extensions that affect hundreds of thousands of users. Updated on February 6, 2018, 6:10 PM PST with a statement from Yandex.
#Trend micro chrome extension update#
Updated on February 1, 2018, 7:21 AM PST to update the regular expression.
0 kommentar(er)
