Home front-page port 80-shoopyuSuspicious Browser extension analysis 🔍

front-page port 80-shoopyuSuspicious Browser extension analysis 🔍


1.Which browser supports this extension? With a simple google we can learn that crx files are associated with google chrome’s web browser extensions.

ANSWER: Google Chrome

2.What is the name of the main file which contains metadata? For this part we must unpack the file. CRX files are essentially just archived files similar to zip files. So we can simply use any archive extractor tool such as unzip to extract the contents.

Simple googling on what a manifest file reveals that it is common computing file which contains metadata. Here we can prove this by reading the contents of manifest.json. It contains metadata such as version, name, and even related files for the extension.

ANSWER: manifest.json

3.How many js files are there? Question 2 revealed that there were 2 javascript files: background.js and content.js.

4.Go to crxcavator.io and check if this browser extension has already been analysed by searching its name. Is it known to the community? Similiar to VirusTotal, crxcavator is a useful tool for checking if a browser extension was uploaded and analysed. In this case, this is not known to the community.


5.Download and install ExtAnalysis. Is the author of the extension known?
For this task it is useful to move onto a more advanced tool called ExtAnalysis. Which can be downloaded and installed from: https://github.com/Tuhinshubhra/ExtAnalysis. Once installed simply upload the crx file from the ‘upload extension’ tab.

Here we can see the author is unknown which is concerning.


6.Often there are URLs and domains in malicious extensions. Using ExtAnalysis, check the ‘URLs and Domains’ tab How many URLs & Domains are listed?
We can see that there is 1 URL and 1 Domain which makes it 2 in total for this extension. However it is important to note that obfuscated URLs/Domains will not be picked up by the tool, hence its limitations when compared to manual analysis.


7.Find the piece of code that uses an evasion technique. Analyse it, what type of systems is it attempting to evade? In the view source code section it is possible to read the contents of each file. In this case, we will read the contents of the ThankYou.html file.

Here we see a strange if condition which seems to be checking the system for certain renderers such as llvmpipe, swiftshader, virtualbox, and vmware. Some OSINT research reveals that these renderers are associated with virtual machine usage. Furthermore, the ‘else if’ condition checks for a certain color depth typically associated with virtual machines. The resulting action from both blocks of if statements is the triggering of ‘chrome.processes.terminate(0)’ which indicates how after the extension confirms it is being run in a virtual machine environment it will terminate to prevent dynamic analysis.

ANSWER: Virtual Machine

8.If this type of system is detected what function is triggered in its response? As mentioned earlier, ‘chrome.processes.terminate(0)’ will be triggered.

ANSWER: chrome.processes.terminate(0)

9.What keyword in a user visited URL will trigger the if condition statement in the code? Using https://deobfuscate.io/ we can see that the output shows a line ‘.url == str.match…’ with a regex expression. Although the code is partially obsufucated still we can infer from this that it is using a url type function with a regex expression to check if the user is on a page with the keyword ‘login’.

ANSWER: login

10.Based on the analysis of the content.js, what type of malware is this? Performing OSINT research on the readable functions such as ‘onkeydown’ tells us that it is used to detect the triggering of key presses. We also see the variable name ‘key’ being used to store the key presses/strokes. Correlating this fact with the previously known truth that this js script is using an if statement to look for the regex condition of URLs which contain the keyword login, we can infer that this is a type of keylogger malware.

ANSWER: keylogger

11.Which domain/URL will data be sent to? Using the previous deobsufucation method for the background.js file we can see a new URL domain which points to an obviously fake google website. Data is posted to this and the likely data would be the user’s keystrokes as indicated in the ‘o’ variable declarations which mentions ‘key’.

ANSWER: https://google-analytics-cm[.]com/analytics-3032344.txt

  1. As a remediation measure, what type of credential would you recommend all affected users to reset immediately So we have established that the extension triggers keylogging capabilities when it detects the user

visiting any URL with the keyword ‘login’. These logs are then sent over to the actor’s typo- squatting fake google website. Since many users were affected by this and have so far had their

accounts compromised it is wise to initiate a password reset for all users involved.

ANSWER: password

This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyu Web Login Bypassing Techniques

front-page port 80-shoopyu Lab setup for Malware Analysis 🪲🔬