<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Barkly vs Malware
The Barkly Team
Oct 2017

"Catch-All" Chrome Extension Silently Steals Your Data

A new malicious Google Chrome extension steals any data victims enter into any website they visit. Watch Barkly block it.

Malicious browser extensions are unfortunately nothing new, but a newly discovered example analyzed by Morphus Labs Chief Research Officer Renato Marinho is a good indication of how advanced and dangerous they're becoming.

Appropriately dubbed "Catch-All," this malicious Google Chrome extension captures all the data posted by its victims — including usernames, passwords, etc. — on any website they visit and transmits it into the hands of cyber criminals.

How the Catch-All malware is spreading 

According to Marinho, the malware is being delivered via phishing emails with a link to see photos from a weekend event being shared via WhatsApp. 

Clicking the link downloads a dropper file called "whatsapp.exe," which, when executed, displays a fake Adobe Flash update prompt. Installing the "update" results in the Catch-all payload being downloaded, extracted, and executed. 

Catch-All-malicious-Google-Chrome-extension-malware.png

Note: As of now, distribution of the malware appears to be limited to Portuguese-speaking countries, with the attacks originating in Brazil. 

How the Catch-All malware works

catch-all-attack-diagram.png

Catch-All attack diagram. Source: Renato Marinho, Morphus Labs

Once the user is tricked into installing the fake Adobe Flash update, the payload is delivered in the form of a compressed file called "md18102136.cab." As the file is decompressed two additional files are extracted (md0.exe and md1.exe) that are roughly 200MB each. Marinho explains roughly 97% of the code in both files is bloat, likely put there to help the files bypass anti-malware solutions that do not inspect large files. 

In addition to loading the malicious Chrome extension, md0.exe also attempts to disable a variety of security features with the following commands:

  • netsh firewall opmode disable: this disables the Windows firewall
  • disable extensions file access check: this allows extensions to inject script into file URLs without user opt-in
  • always authorize plugins: this prevents Chrome from requiring authortization to run plug-ins
  • disable improved download protection: this disables Safe Browsing warnings when it comes to downloading files

It then kills all Chrome processes and configures the browser extensions to be loaded the next time Chrome runs. 

From here, the extension will capture any data the victim enters in as they browse from page to page, using Windows APIs to retrieve keyboard strokes and sending the info to a C&C server using jQuery and Ajax connections. 

Catch-all-keylogger.png

The extension uses the GetKeywordState function to retrieve keyboard strokes.

As a result, the criminals behind Catch-All can silently gather a treasure trove of credentials and personal data without the user noticing a thing. Because the data is captured in clear text inside the browser, existing browser security measures such as SSL or TLS don't provide protection against this threat. 

In Marinho's opinion, the onus is on the browsers to mitigate threats like the Catch-All extension. "Internet browsers should better control extensions and plugins' installation processes, as the Andriod and IOS mobile ecosystems do," he told Threatpost. "By default, only the extensions available on official stores sould be accepted for installation." 

Blocking Catch-All before it steals data

Since the Catch-All extension is delivered via phishing emails, user training can help prevent its installation in the first place. 

Users will be users, however, and the good news is having Barkly installed will stop this attack in the earliest stages, before the payload even has a chance to execute or tee up the malicious extension.  

Barkly-vs-Catch-all.gif

That means even if users do fall for the phishing email they're still protected. 

With the creation of malicious Chrome extensions — and the hijacking of legitimate ones — on the rise it's key for organizations to protect their users and endpoints with strong security that can spot malicious behavior in addition to malicious files. 

Want to find out more about how Barkly blocks malware? See a demo today. 

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.

blocks-attack-grey-circle.svg

2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.