Malicious browser extensions bring about security risks as these often lead to system infection and unwanted spamming on Facebook. Based on our data, these attacks have notably affected users in Brazil.

We have previously reported that cybercriminals are putting malicious browsers in the official Chrome Web store. We also came across malware that bypasses a Google security feature checks third party extensions. For this blog entry, we performed an in-depth analysis of malicious Chrome browser extension and its evasion tactics, after receiving samples in from Facebook. Facebook’s Security team conducts their own malware research and they regularly collaborate with Trend Micro to keep their service safe.

The Ins and Outs of the Browser Plugin

The malicious Chrome plugin (detected as BREX_KILIM.LL) is composed of two files, manifest.json and background.js. The file manifest.json will inform Chrome where to load background.js:

Figure 1. Two files behind the malicious plugin

The file background.js will execute the following routines:

1. It prevents the removal of the malicious plugin. If users open a tab to chrome://extensions to check for malicious browser extensions, the plugin will close this tab immediately.

Figure 2. Code showing the closing of said tab

2. It prevents access to antivirus websites. Any attempts to visit antivirus software websites will be blocked.

Figure 3. Code showing the blocking of specific sites

Figure 4. Notification showing access was blocked by the extension

3. It removes the security option from HTTP response header. This security option is typically used to avoid cross site scripting attacks. The plugin removes this as it will will inject script that does not belong to Facebook.

Figure 5. Code removing portions of the HTTP header

4. It runs a JavaScript code when users visit Facebook. When users go on Facebook, the plugin will run a JavaScript code into the tab where the site is open. Doing so will allow the cybercriminals to control the users’ accounts; users will unwillingly follow, like, or subscribe to Facebook accounts as dictated by the cybercriminals behind this attack. These commands are performed automatically by the included JavaScript code. The affected users’ friends will also see these actions on their feed and may possibly inadvertently install the plugin as well.

Figure 6. Screenshot of the malicious JavaScript that triggers users to follow, like, subscribe a Facebook account owned by cybercriminals

Evasion Tactics

To avoid having their extensions detected and removed from computers, cybercriminals are using the following evasion methods:

1. They use malicious multi-script files that work together.

Figure 7. Malicious plugin using multi-script

The malicious behavior is separated into multiple files. If each script file is analyzed independently, the overall malicious behavior may not be spotted and the files may be (mistakenly) thought to be clean.

2. They encode the JavaScript content.

Hackers use HEX to encode strings as seen in the screenshot below:

Figure 8. Encoded strings via Hex

After decoding the Hex string, they appear like in the screenshot below, showing that it’s the same as the original. This behavior helps to avoid detection by security products.

Figure 9. Decoded string

3. They use HTTPs and a known, good domain to host malicious JavaScript.

Figure 10. A good domain used by the malicious plugin

For instance, herokuapp.com is a free cloud application platform where everyone can upload APP to it, and cybercriminals can use this site to host the malicious JavaScript. This tactic is also used to prevent URL detection and blocking by security solutions.

4. They use Twitter to hide malicious URLs.

Figure 11. Code communicating with Twitter servers

Figure 12. Twitter profile that houses the URL

A malicious plugin runs a JavaScript into the user’s browser tab and downloads content from a Twitter user’s profile. The cybercriminals use the affected Twitter user’s profile content to hide the malicious URL that the plugin connects to. Once cybercriminals change the profile content, they can change the behavior of the malicious plugin.

5. They use fake file extensions.

Figure 13. The plugin uses .DLL as its supposed extension

Infections and Protection

Based on our data starting from May 2014 onwards, Trend Micro HouseCall has helped about 1,000,000 users whose computers have been infected by malicious browser extensions. The top affected countries are mostly located in the Latin American region, such as Brazil, Mexico, Colombia, and Peru.



Figure 14. Top affected countries

We strongly advise users to avoid clicking links from messages, even if they appear to come from your friends. Users can also opt to use Trend Micro HouseCall to secure their systems from online threats, including those that may leverage or abuse Facebook. Trend Micro and Facebook are working closely together to combat this threat.

Below is the SHA1 hash of the malicious file: