There is also a check based on the IP address, since we repeatedly did not receive any commands from one source IP address, even though we did receive a command for the same GET request from another IP address. Since this parameter contains the time when the extension was installed, this effectively ensures that the extension will not exhibit any malicious behavior during the first three days.
First of all, the GET parameter it has to be set at least three days into the past. Note that the response will contain the encoded command only when some conditions are met. All of the stealthiness described above could explain why it stayed undetected for so long.įiddler capture of a seemingly innocent analytics request that contains a hidden command in the Cache-Control response header CacheFlow also checked every Google search query and if the user was googling for one of the malware’s command and control (C&C) domains, it reported this to its C&C server and could deactivate itself as well.Īccording to user reviews on the Chrome Web Store, it seems that CacheFlow was active since at least October 2017. When the malware detected that the browser developer tools were opened, it would immediately deactivate its malicious functionality. Furthermore, the extensions delayed their malicious activity for at least three days after installation to avoid raising red flags early on. They determined this either through the extensions the user had installed or by checking if the user accessed locally-hosted websites. First of all, they avoided infecting users who were likely to be web developers. The extensions exhibited quite a high level of sneakiness by employing many tricks to lower the chances of detection. Not only that, but the cybercriminals were also collecting quite a lot of data about the users of the malicious extensions, such as all of their search engine queries or information about everything they clicked on. After reverse engineering the obfuscated JavaScript, we found that the main malicious payload delivered by these extensions was responsible for malicious browser redirects. These other extensions offered various legitimate functionality, with many of them being video downloaders for popular social media platforms. Continuing from his findings, we managed to find many other extensions that were doing the same thing. He discovered that the Chrome extension “Video Downloader for FaceBook™” (ID pfnmibjifkhhblmdmaocfohebdpfppkf) was stealthily loading an obfuscated piece of JavaScript that had nothing to do with the extension’s advertised functionality. We initially learned about this campaign by reading a Czech blog post by Edvard Rejthar from CZ.NIC. We found that CacheFlow would carry out its attack in the following sequence:ĭistribution of Avast users that installed one of the malicious extensions We believe they tried to solve two problems, command and control and getting analytics information, with one solution. In addition, it appears to us that the Google Analytics-style traffic was added not just to hide the malicious commands, but that the extension authors were also interested in the analytics requests themselves. We alerted both Google and Microsoft about the presence of these malicious extensions on their respective extension stores and are happy to announce that both companies have since taken all of them down as of December 18, 2020.ĬacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. We described a huge campaign composed of dozens of malicious Chrome and Edge browser extensions with more than three million installations in total. This blog post brings more technical details on CacheFlow: a threat that we first reported about in December 2020. But that is not always the case as we recently found.
We usually trust that the extensions installed from official browser stores are safe.
Chances also are your web browser has various extensions that provide additional functionality. Chances are you are reading this blog post using your web browser.