Unraveling the Threat of Chrome Based Malware

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success good morning everybody so we're gonna kick off here today the post lunch track which is always the best one to be try to keep you guys vigor ated and a week here today so the talk here in today is unraveling the threat of chromebase power talking about maori in your browser and uh talk about a little bit of a war story we have and I've been my name is Justin Werner I'm a principal security engineer with gigamon formerly spent some time in the military working for the US Air Force doing

counterintelligence work spent three years breaking into places which really shaped my view a lot of threat operations having to actually go do it learn about the perspective they get I was very valuable there I worked with various groups adopt a threat division and then a natural break occurred which led me to work with iceberg which became gigamon I like to be a little bit more human so I'm not just a work robot I have a hacker wife so I married into the hacker community some people hate it some people love it I personally enjoy it a lot and have a young daughter two years old and I do a lot of volunteer work and Disaster Response and relief

stuff tend the fun ways to get away from the computer and enjoy the day hi everyone my name is Spencer Walden I'm a security engineer at gigamon 8er as well I graduated from the University of Washington Seattle other Washington a year and a half ago I've been at iceberg slash gigamon for two and a half years now and while I was at u-dub I also did undergraduate research where I actually worked on a Chrome extension project that was super cool it's discontinued now but you should check it out it's really a cool project and yeah I'm really interested in like malware and you know the different methods that adversary is used to communicate and then

you know covertly and then working to detect those types of things it's it's fun the whole cat and mouse game going on there so living into this who here has used a Chrome extension alright this is relevant who here has developed a Chrome extension or work to develop one okay less people but cool so this is gonna be new for some of you it's pretty simple I just ripped this straight from Google's documentation which was really good super straightforward to make an extension basically it's it's just like a web page it's just some HTML CSS JavaScript images whatever you need thrown into a folder you have the exact same things that you can do with web

page including XML HTTP requests which are basically web requests you can make from JavaScript the interesting thing here is that unlike working in a web page a Chrome extension will actually have access to Chrome api's that way you can actually extend browser functionalities such as bookmarks and tabs and lots of other fun stuff what does it look like yep here's folder of an example Chrome extension basically just any kind of normal website kind of feel to it you can you know structure however you want to the important thing here is that you need a manifest file which is a very specific format a JSON file and it basically just specifies kind of how your extensions

supposed to fit together how do all these elements work together so what is the manifest file actually have in it some of its kind of not that relevant for our purposes it's just kind of ui/ux you know how what's what's it look like in the browser does it have a pop-up does that open tabs blah blah metadata what version is it who is the author and then the kind of the meat of this is the permissions and what I called registration which is basically you you specify like a background script and this will run at all times in the context of the browser or the content scripts which you you basically allow to inject into different web pages based on

a certain set of conditions and registration also might cover or I consider to cover like things like the content security policy and then the permissions are basically the different chrome api's you want to interact with I have to declare these some of them will actually prompt the user you may have seen this you know blah blah blah can read and change all the data on the websites you visit you know kind of scary sounding and it's meant to because there's a lot of power you get with this some interesting permissions to call out that I found there's this background permission you can set where the extension will actually come up with the system so this image with process

Explorer is showing that chrome is actually running because of an extension that has a background permission set but you'll notice in the windows taskbar chrome isn't actually open there's no blue line there so kind of an interesting thing right so Google actually does review like all the extensions that go into their store they have an automatic process and that will kind of generate a score that score will if it's low enough trigger like a manual view process and they'll actually do takedowns on on different extensions if they don't if they're not up to snuff right one example was you block origin I was taken down for obfuscation in 2015 kind of the developer made a big stink

about it uh-huh but yeah so with working with our their team when we found all this malware they were super supportive and it was really good working with them to get stuff cleaned up yeah so how often when you when you use your computer how often do you have the browser open 100% of the time yeah browsers are running like on pretty much every system all the time like in Seattle we've got the the light-rail and that's got like TV screens showing you know the schedule of the Light Rail trains sometimes it crashes and you know you get that off snap like Chrome notification in the page and so I mean it's it's running on all kinds of

different systems and so it's really powerful right like to get a plug-in into one of these things and one of the cool kind of cool but kind of bad may be things is that the web extension API which is being pioneered by Chrome it's being adopted into the different browsers so edge chrome all the major ones are except for Safari for some reason all right opting this framework so if you write a malicious Chrome extension you could potentially just easily port it over the different rousers which could be cool so what led us here today what got us we're a network security company what got us on this rant and soapbox of Chrome extensions frankly the

the reason a goddess Aries because we saw it used in the wild and so we will monitoring customer environment like to say that something sexy happened and we that's magic analytic that found all evil but it simply wasn't the case we had an analyst going through network traffic notice something suspicious which is how 90% of things are found and kind of started on pulling on that thread what they essentially discovered was that there was a ton of HTTP traffic - really funny looking domains and the HTTP traffic was coming from a Chrome extension you can see that via the origin header and the peak app snapshot on the bottom right essentially they could see exactly what extension was

coming from they continue to unravel that thread and discovered an extension that was prevalent across massive massive customer sets massive infrastructure involved and follow-on investigation essentially led to this extension with over a half a million victims and what was led to be a suspected fraud campaign where they are browsing pivot traffic through the Chrome extensions so we're gonna detail this a little bit more in depth now I like to take a pause and say as a red teamer for three years I was horrible at fishing and I stressed out every time I had to send a phishing message and I always thought social engineering was very difficult from a computer respective breaking into physical places

easy sitting behind an email not so hard not so easy these guys they simply named their extension Google which was essentially they would replace every Google logo with a nan cat that was the whole purpose of the extension and they got a half million downloads like I was doing it all wrong as a red teamer all those years and the funny thing is when we started doing a little bit of sense on this stuff like tons of computer forums where people are talking about installing on their little brother's computers or trolling and putting it on work computers as it was funny to see their co-worker freak out like it turns out this is all malware those people running

around and installing so how did this extension exactly work this is kind of the beauty of what they were doing the the actual extension contained no malicious code so the extension was nothing more than a fully functioning purpose it full extension in this case replacing the Google logo with a nyan cat but then on a certain time interval the extension would phone out for updates was that the guys that they had set up the updates even more clever was not just a straight like it was very hidden in this case if you look at the code on the bottom left they were looking like they were downloading JSON updates like maybe a configuration update the function used

was the Ajax call forget JSON little no in fact that we discovered while looking at this if you just append JavaScript string to your JSON blob get JSON will actually evaluate it assuming the unsafe eval permission is set in the extension who knew that no hands for the computer and so yes you can essentially just app in JavaScript to a JSON blob and get JSON will execute that for you so a very clever staging mechanism that would that would get used we actually solved this evolve over time there's one other one I want to call out is that they also modified the jQuery library in some cases so they wouldn't even have like a suspicious get JSON it would just be

normal Ajax calls and then in the jQuery library they had minified like their secret little stager to change behavior when they saw certain content inside of it very clever and very hidden hard to detect given all the jquery like versions that are out there anyways unless you have a magic whitelist of every we're library you're tracking so after they would stage the extension they would essentially stage malicious code that led to a WebSocket getting stood up so they would stage down some JavaScript that JavaScript would stand up on a WebSocket and that WebSocket would communicate with this full JavaScript wrap inside the browser's memory that JavaScript web tunnel was then used passed back and forth JSON taskings so

essentially malware C - it would task the browser extension agent to do things specifically in this case it would task it to do click-fraud and so they would essentially pass a website the browser extension would visit the website from the victim computer and so on just continuously some really interesting pieces of this is that the you know we sandbox tons of these and monitored them they were not injecting every user that installed this extension and actually throttled who they injected based on what we believe to be time zones geography and then volume like they would only inject a certain number of people at a time and we believe that was likely like low confidence assertion

that it was likely I'm trying to minimize the chance of getting call like minimize the times are doing this don't make it as obvious so the traffic that we saw essentially when we were monitoring this in decrypting this traffic was almost exclusively advertising traffic and it would come fast like when they would trigger and turn it on depending on where you're at it would go for hours and talking a lot more than a request a second for hours if you can do the quick math if you go out in price like how much you get for an ad click and an ad network anything from it can go lower than $0.10 it can go as high as a dollar so like you know

click a second for three hours times let's go low in like a cent you can make a ton of money doing this across half a million victims very profitable campaign this started out with just four extensions so we talked about Google there were three other extensions of bookmarks of stickies and a require a Chrome extension that was actually really interesting anyone who works in contesting in here use an extension to change your HTTP request stuff to like add headers or yeah yeah so the change HTTP request header that would be a really sweet one to hook and or hookah pentester this had 14,000 downloads and I if I had to guess a lot of those were admins or some type of

code developer and that was actually a backdoor extension that was being used in this case so we actually stopped there we felt pretty good we notified Google at this point and then we continued to monitor so we're network security company we weren't like really big in the chrome stuff but how to do diligence we continued to monitor this and then last year throughout the year we noticed 35 more extensions go into the chrome store so there would be devin jizz we would see batches of extensions get uploaded that would continue this functionality and another 153,000 victims over that year we've continued to monitor this and it's still very ongoing we don't have any new stats to show you today

essentially this continues to happen these guys are very persistent so break glass if you find evil this is the for us we very much like as we started to scope the depth of this and how serious this was we immediately reached out to Google again well we give more shouts out like the Google team we worked with Google's huge I don't know everybody there but the Google team we worked with it was fantastic they were very interested in what we had to say they wanted to work with us we have some tips like what we learned we're in this interaction so if you go chrome hunting after this talk here's some tips to share stuff with

them share evidence it's really easy to say I found something bad and send it to somebody it's really hard for them to understand what you mean by bad and what got you did this stuff in this case specifically it was tough because they were doing so that selective staging so the Google team could go install the same extensions we said we're evil and they may not get the JSON stager and so they might be like these guys were you full of it they don't know what you're talking about like how do we trust them so we provided and we went through this we provide the full pcap of all the sandboxing everything we had source code

write-ups methodology more or less a full-fledged report and it was very appreciated they were able to action it much quicker indicators are nice like thread until people like IPS and domains are fantastic the evils fantastic but methodology how did we go about discovering why did we stumble upon this what kind of generic things are we looking for allowed them to go from solving the one problem knew about - trying to evolve to solve future problems and continue to take down the class of attacks continuing on the list I think that the two biggest outcomes are like the highlight in our case we actually there's two ways that Chrome extensions will get resolved removal from store meaning people can't

download it anymore that doesn't mean it gets removed from computers there's also a level of analysis that'll lead to them actually force removing an issuing like a kill request out to anyone who has it installed in their browser so we actually the any of the extensions we've notified have gotten the kill request but that's not true in all cases it depends on the level of confidence and kind of severity what they're looking at in the extension see yeah so great like we found this whole malware campaign how do we protect against it so there's some IDs signatures that came out from the emerging threats set I don't know if you guys are familiar with that

it's like snore circles so they're a little bit fragile one of them is really good it's looking for the actual WebSocket connection that like the JSON going back and forth once the tunnel is established fantastic it gets it on a percent of the time and then the other one is actually looking for one very specific Chrome extension ID so unless you have that specific Chrome extension and you know you saw there was like 35 plus it's not gonna hit and then with the WebSocket tunnel it's only gonna hit if the WebSocket tunnel actually gets set up right there is a lot of cases where this didn't actually get set up so here's the ugly slide full of circus

Terracotta rules the first one is basically looking for the the beaconing activity back and forth with the server before injection has happened the second one is actually be looking for the inject code right so this is the payload getting sent down on the update request when it when it decides to do this and then this last one is after it's been injected on they actually add a header to every request specifying the version of the payload that was injected on so that they could update the thing later on in this be getting some behavioral notes so all of this activity was happening in one ASN it was always an info or a pro TLD of

course there is chrome user agent field because it's a Chrome extension and then yeah a couple of other things just going on with the the flows looking for kind of interesting interactions between a chrome extension and a weird server that you probably haven't seen on your network before and here's some Yara yar is not really set up to work with JavaScript that will it's more it's more suited for binaries but it's still a really nice kind of grep on steroids where you can specify a bunch of different patterns and kind of what to look for and conditions right so like I want this or this and I want this and this and so the first one I have looking

for because basically you can ID these extensions by looking for a couple of key things the first one is looking for a manifest file that has the relevant permissions that are always set for this they have to have web request and web request blocking and then access to all URLs as permissions declared in the manifest file so look for that the second thing is looking for a jQuery library that's been modified this is really hard to do I do not recommend doing this but yeah of hair tearing out making that one but really cool and then the third one is actually looking for the the loop the the update beacon encode that is present in all of these so if you get like a

match on a Chrome extension with all three of these together then we got it yeah okay so with Chrome extensions I was I was looking at this stuff and I was like hey you know there's there's a lot of time stamps here wouldn't be cool to like map these out and see what kind of information we get out of that so CRX files which I'd like the Chrome extension files they're basically just a wrapper on a zip file and zip files actually have these file modification timestamps that get preserved when you zip up like a bunch of files they are ms-dos timestamps and they don't have any kind of timezone information with it so that's kind of annoying and then

there's the domain registrations so we have you know who is records record when a domain was registered we have all these domains associated with these chrome extensions great let's grab all those and then also this was really fun so all the icons and images that used in these chrome extensions which did do what they were ported to do in addition to the malicious stuff Adobe Photoshop was used to make most of these images and they'll actually inject these XML payloads that have tons of timestamps in there of like oh they added a layer at this time and they added a layer at this time and really rich and it's actually got the timezone information in it too

so that's really cool yeah so actually graphing it out you actually kind of notice something interesting here going on right Monday Tuesday Wednesday Thursday Friday Saturday Sunday from top to bottom you'll notice that so the orange corresponds to the PNG timestamps the blue corresponds to the domain creation and the green is the file modification from the zip files you'll notice there's kind of a center going on on Monday to Friday I should also know these are all normalized to UTC and based on the data set because we had like about 2000 of the PNG timestamps unique ones only about a hundred of the domains and like 700 ish of the file timestamps but yeah so kind of a monday to friday

correlation here's by hours of the day same normalization process you'll notice kind of activity centers around 9 to 20 UTC so this is really interesting nothing no hard you know conclusions we can draw from this necessarily but still really interesting right yes this is pretty cool we actually I was like ok so I have all these things what does this all mean so we took a baseline of like activity for like yeah because I'm kind of thinking all right like this kind of looks like a 9 to 5 schedule maybe right so what does this look like compared to actual 95 schedule so we're networking networking company we have a lot of customer data so we take like a baseline

activity curve for people working 9:00 to 5:00 in the timezone we normalize that to UTC and then we compare that with the different data sets that we have so from left to right you have the domain creation file modification the PNG timestamps and basically we're looking for where it's closest to zero is the closest match between like a the baseline curve and the attacker curve but yeah so this actually kind of raised just more questions than actual answers because if you if you look back at this this last graph the far-right one actually kind of corresponds to like a et Cie shift of minus one but those ones actually had timestamp the timezone information included which said plus

four so since there was that discrepancy it's like okay what is that what's that telling us like you know it kind of makes a lot of different narratives possible right so being a red team guy I'm naturally staring at this adversary making millions of dollars and wondering why I never did this exact technique for years and so I kind of took a page out of their book and decided to go be evil for a while and satisfy that craving before coming back to blue so what makes current like stepping his back of this like why was this adversary so brilliant to do it like this frankly like leveraging Google Chrome is a fantastic technique general people trust the

chrome store like more than they trust random XD downloaded from the internet or from a spear phishing email Google wants open development so people are inherently trusting like an open data and open development model and I can bet you most people in here well raise their hand saying they're using Chrome extensions aren't code reviewing every extension you download like maybe some like maybe you'd eke out over that but most times you're downloading a Chrome extension because you want quick utilities and so that would defeat the whole quick piece of that and so essentially people trust Google Google trust everyone so people trust everyone not exactly a great model it gives you code execution in the browser it gives you the access

to Google's API is everyone does all their Google so you have access to everyone's work so stepping back and kind of walking through the adversary lifecycle I decided to research each page of this so if I was a bad guy how would I start from Ground Zero and build a malicious chrome of capability so looking at delivery and installation there's a number of different ways that Chrome extensions can get installed inside of a user's browser the simplest would be something like fishing with a link to the chrome store maybe I just convince someone that there's some policy at their company and they need to come download the company's chrome app maybe I've lized it really well and made it

beautiful lure and convince them to come download it they click on a link there's nothing hard to do this you can get links to the chrome store and it launches a chrome store and ask them to install everything clever enough lure it works maybe you want to do this as a post exploitation thing you get access to a user workstation you want to install your extension for persistence there's a couple different ways you can do this the my favorite one was doing this via their registry so simply adding a registry key all of a sudden the extension downloads into the browser like no user prom no user notification like this add this key extension installs from the store so pretty

fantastic post exploitation method pretty easy to do notice the six tub extender like I got a extension in there for just to prove I could do it for 20 minutes and then I deleted it but this is a fully fledged extension that was in the store that used the exact same staging technique the bad guy was doing so totally possible to get an extension in the store and and use it for this purpose so post exploitation this is really what like a geek out on as a Red Team guy we spent 90% of our team time doing post exploitation stuff and average Sarah I can climb environments and so what exactly do I get by getting

Chrome well the simple answer is you basically get full control of the chrome system so that includes screen capture of chrome tabs key logging of the Chrome browser hooking forms so anytime anyone submits a form you can gain an execution hook in there to access that data redirection so if I want to like intercept a request and change the route it goes social engineering so the ability to pop messages communicate with the user give the pretty images and techniques and then browser pivoting so if you're familiar with that concept basically forcing a users browser to browser where you would like under that under the context that they already have established so walking through specifically the injection technique so

I told you I replicated the adversaries injection technique I'm gonna give tidbits of how this tool works I have not released and will not be releasing this tool for open consumption but there are enough pieces if you take a lot of pictures to get this going so the picture here this is essentially showing how I staged down a message into the application so in this case there's a JavaScript blob it doesn't get JSON requests somewhere I simply respond with a JSON blob which is a picture in the bottom message success and then I do it I end it with a dot replace and like do this fancy evasion technique basically I'm appending JavaScript that thoughtful

skated on to the JSON request or reply that gives me execution of my rat so we're gonna walk through a bunch of examples in this one I'm gonna hook form submission so I have a Chrome extension calling back to my controller I'm gonna task my controller up through the API to start a form capture specifically for that client ID you're gonna see my server said cool I understand what I'm doing and I'm gonna come over to my magic Facebook window I'm gonna log in with my six double net account which is not my real account and then you know what you'll see here is that the browser that I formed hooked captured that and sent those credentials back up to my

controller for storage so then I can go in and ask my controller to get the results of that tasking and you can see I got the password so basically hooked into the form extension using chrome Dobbs execute script and got back the results and sent it up next cool one key logging this isn't really on special JavaScript key loggers have been around for years basically what I did here is leverage the ability to inject JavaScript in tabs to selectively inject a JavaScript key logger into the tab the key piece or fun piece about this is my JavaScript key logger that I would jekt used chrome messages to communicate back to the extension so like my

JavaScript blob that was injected into the site did not communicate out directly it communicated back to the extension and the extension communicated out through the web socket that had already had so no new tunnels standing up no new communications all using Chrome's messages which allow tabs that communicate across you could see essentially in here I'll let her run through one more time cos the keylogger typed in a cool sensitive message in the in the box it was all logged using Chrome messages exfiltrated out through the Chrome extension I said the default is capture like 15 seconds of this tab but you know all this is configurable depending on how much JavaScript kung-fu you want to do and in this case I'm

hooking Gmail but you could really hook any site here that you wanted to that you're able to get JavaScript injected into this is my personal favorite every red teamer is a voyeur don't let them tell you otherwise like they their whole job is to conduct espionage and companies and like learn use that for their advantage and so in this case I love screenshots like sharing a text all day is fun but staring at pictures and much more fun in this case you can use the chrome API to do chrome tabs that capture visible tab which essentially allows you to capture a picture picture of whatever the tab is extensions can do this as long as they have the proper

permission and so I had my extension the ability to arbitrarily get screen captures of whatever web pages and then X will trade that out as a data blob through the normal WebSocket sort of that server side and then allow you to download and process that so you can see here I had a user that was browsing the old iceberg website I was able to get a screen capture of what they're browsing in this case a picture one of our researchers hard at work on his mechanical keyboard pounding away in some code but screen capture this could be anything from banks sites to your most sensitive health information that you're browsing and your extensions rolling this all the time possibilities

are endless and then my personal favorite anyone uses like browser pivoting inside cobalt sorry core Metasploit and some maybe elephants a person or two the whole concept is if I issue a Request in the concept of the burden that's in the context of the browser it's gonna use whatever session information and cookies that the browser already has established as long as the request is coming from the browser and the proper like cross-origin suss okay so if I can issue a request from the context of I don't know a gmail tab it'll have the session initiated and established from Gmail well this extension can issue requests from any context that you have open so if I can force my extension to login to

Gmail from a Gmail tab you already have open and pull that requests information back I can see I get essentially I can browse your Gmail inbox and brah can pivot or request to Gmail through an already existing Gmail window and get the results and display it so in this case you can see here I task my thing to issue a Gmail mail.google.com request and then what you'll see is I get to reply back and I'm able to I basically get the HTML back from my Inbox and then I'm able to kind of just grab through that HTML in this case I grab for like I think a secret password cuz proof of concept here and I don't know

who has password resets coming to their email all the time yeah like everybody so it's kind of a proof of concept here but I could browse they anything I could browse they any cap enabled sites for Gabby's public leaning in the room two-factor enabled sites if you've got a session established like they're able to be hit with this technique it's from an extension that you've installed the last one I have this concept of like I want to gain code execution during extension because that's the ultimate sexiness like user installs extension I get a shell like how does that work and so in this case I kind of did a rigged proof of concept where I set up a

vulnerable server vulnerable 2d serialization inside of a network and I use this same exact browser pivot technique to issue a basically a serialized exploit so exploit a thoroughness serialize object into my request that's specifically crafted to take advantage of this vulnerability and what you'll see here is I'm assuming this tasking if I'm successful I get code execution I drop high dot text to the directory and so you can see in the top right there a text file appears that could have been a shell calling out or powershell running or I don't have C sharps the cool kid thing nowadays so like maybe I you know did done that to jscript to get a c-sharp module injected

or or some technique I get code execution on a vulnerable server sitting internal to a network not public facing all via Chrome extension so there's a leap in there that I'll leave unsaid like how do I know it's there how do I scan the network but proves it out in the lab it's very possible so jumping into kind of the defensive side yeah so who here is heard of the mitre attack framework cool kids awesome yeah so we actually worked with them to get this added in as a couple of items here so man in the browser as Justin are talking about and browser extensions themselves as both a persistence mechanism and as a collection mechanism the persistence

part is it's pretty cool because not only with like the background permission set but I mean your your user is basically just gonna start up chrome every time they start their computers so them I would highly recommend if you're out discovering like new offensive tradecraft or you're threatened tell person finding stuff in the wild like work with mitre and get it added you'll have the ability to affect hundreds of security program versus just your own right because a lot of people go through this framework in you know validating like unit tests of like these are you know it's an attempt at like an exhaustive list of all of the bad things that someone can do to a system to you

know gain persistence or whatever right so people will go through this list and make sure that they're covered in all these different areas so this is really really important it was a lot of fun working with mitre guys and getting us added okay yeah so where do extensions live on a system three places on Mac OS it's there Windows Linux so if you need to look for extensions doing weird stuff those are the three places that's it super simple really nice that it's not spiderwebbed all over across the computer for network just looking for an origin header being said that's only four course requests though or like requests that invoke like cross-origin resource sharing stuff so

certain like get requests won't actually trigger this so OS queried you guys familiar with I was query some okay maybe kind of okay well so it's basically just a way of it's like kind of looking through like a system it creates like kind of sequel tables of different configurations on your system so you can do like a lot of different stuff like taking these over time is really cool that way you can like kind of track changes to a system over time and they've actually got a Chrome extension table to find in here which is super cool the persistent flag here it's a little confusing in my opinion because it's basically just specifying whether or not

the background script is active at all times which is not exactly the same as like the the background permission which I think would be more interesting yeah Chrome extension so chrome actually they have like this whole GPO thing that you can import with it yeah 365 policy is a policy for every day of the year of different policies that you can import into your Active Directory and get a lot of much more modular control over extensions as far as like kind of you know tightening stuff down security wise there's these extensions install blacklist whitelist force list so the force list will make sure that every system you know in your domain is forced to install this thing and then whitelist

are like what are good acceptable extensions for your enterprise and then blacklist is of course you know this is a known bad extension what's blacklist that I don't want that here you can also do blacklist for all extensions I don't want anyone installing stuff if you're really paranoid and your users will see this type of thing it's blocked by the admin and so then they can go and bug IT to let them install it so I'm a former Intel guys former red teamer and until guy the dual personality some days we had this concept in the military called getting left of boomers for counterterrorism purposes the idea was like we want to get ahead of when bombs

or detonating so we want to know about something before they're happening for the purpose of issuing early warning and prediction and stopping it and a lot of what I do on the gigamon side is similar so I'm a threat Intel dude here everyone probably has strong opinions about their intelligence depending on our organization implements and does it there's different levels strategic to tactical to functional and all these things in my opinion their intelligence is key role is to inform decision makers and then prioritize and support defensive vestra efforts across the entire spectrum so that kind of includes three key areas I'm doing everything I can to support responders and inform them and enrich them with more

information about what they're responding to I'm informing detection efforts so maybe I have a soccer detection team my goal is to like make them understand how threats they work that's the point of boom I'm supplementing that point of boom by helping them boom on more things and boom more intelligently and on the left-hand side which is what we're gonna talk a little bit about now is early warning I want to discover things before they ever affect my organization so you might be wondering how you do this Carm extensions if you're a threat Intel person well if only there was a data source that was constantly crawling and categorizing every Chrome extension for the past couple years there exists such

a resource it's not ours by any means we don't run it use it your own warning disposal with all the normal legal disclaimers they're crawling chrome but it's a fantastic data set to look at and it proves to be very useful if you want to go get access to block chrome information so what kind of things can we do and of like Generic hunti like i want to discover things before they're known bad we can kind of genera size some of the things we're looking for so rather than just looking for specific variable names to our campaign we are tracking let's just look at suspicious variable names so what makes a variable name suspicious I don't know like random

hex because variable names shouldn't be named random hex or for humans and so that's the kind of the one on the left the top right is a kind of the JavaScript key logger functions that are commonly used so if they're not obfuscated looking for the the key codes or key press function extensions should not be logging key presses very often so this thing tends to be a slightly better confidence one and the bottom-right looking for extensions kind of setting cookies and storing information that might be useful for configuration examples of what we found using miso like these three rules that babyface is like what I constantly have looking at stuff like this the left one is all the

hex variable names again all three of these like I'm not a hundred percent sure they're evil but they don't look normal like this isn't what I normally see when what I'm installing my brother so whole bunch of hex obviously obfuscated chrome code the middle one the middle one you have dotnet levels in your Chrome extension like don't know why chrome like a it's inherently static webpage Chrome extension should have all these c-sharp net mono libraries all loaded up inside of it and the right one you see every file is just named with like a single character looks like they tried to do some sort of smash-and-grab on the file names like obfuscation so again we can

kind of hunt and start going through these we can work with chrome to notify or if you're an Intel organization you can protect your customers by adding another touch point of finding evil and stopping it before it affects them so getting to the wrap-up point a little bit early but some things I really want you to take away so stepping back to a larger view chrome is just one Chrome extensions are just one example of potentially unwanted applications or software it's it's not specifically some apt threat depending on who's using it it's just generically maybe it's not wanted the admin doesn't want that level of ability and in general I've seen kind of a couple different strategies with

potentially unwanted applications one is people will try to educate the users or like I don't want to lock down my users I'm just going to make them experts in computer security so they never give our organization owned I think most people in the room can see the issue of that and have probably dealt with some issues with that it's it's possible to an extent but the users gonna use its Matt Nelson you should work with always said this like simply not going to prevent users from doing something like this so you need a combination that's that brings in the second viewpoint which is control the users some people go overboard of this it's like I want to

lock down everything they can never do anything without calling me and then they get to answer phone calls at 2:00 in the morning all the time for things that maybe they should have just let in the first place so you can see I kind of have the perspective that it should be a mix of both like there should be some amount of technical controls you can do a good analysis of what your organization and your company actually require and what your users require allow that and then prevent the rest a pretty big white listing fan across all of the security spectrum I understand it's hard chrome makes it pretty easy with the GPIOs as long as you can enumerate what your

organization needs and you're willing to suffer for the first couple months you roll at the policy as you discover more things so what's next this research kind of it still has a lot of unanswered pieces and from the rest of our lives so love anyone who is interested in stuff get going download the archive play with it go hunting some carriers we were really interested in as other browsers so as they roll out that web extension API can these same like Chrome rat you develop in chrome work on edge or ie or any of these other Firefox of these other places is there a common API that can be implemented essentially getting a cross-platform rat in the browser be

very useful would be very interesting continued in monitoring of this this campaign still going we're still tracking and working with Google on this it's kind of hard to get in the head of these guys they evolve like every adversary and so it takes a lot of clothes for monitoring as you find stuff set up monitoring go look for it see if they evolve see if they adapt it can be really useful both for yourself and an organization but also as a research perspective very interesting to see and then there's plenty of work to do we found all sorts of malicious stuff in the store code execution methods I'd be particularly interesting if we can get

more system code execution techniques or easier ways going beyond the browser how can I get from extension land into system land I'd imagine there's probably tons of ways I'd never opened a debugger during any of this like this was all very simple like surface level research I there could potentially be a ton of different avenues here that are looked at because people frankly aren't looking at Chrome extensions from a pure security perspective very often and then again continued bad guy tracking acts like a double foot stomp like bad guys are there like we should keep watching them so I have a little bit of time for questions if there's any in the room one in the back left

yeah so the question was he we mentioned that the other browsers are adopting the web extension API is the GPO cross browser or is that just for Chrome pretty sure that's that's just released by Google for for Chrome specifically Chrome for enterprise GPOs I'm not sure if the other browsers have something like that I'm sure Microsoft might have stuff set up for edge and stuff I'm not actually sure you're yeah I have to verify that but I don't know if anything that mozilla is doing or any of the other major players in the browser field

the question was any difference in behavior between chrome user level and chrome enterprise I didn't see any yeah no I think those pretty much operate the same like it's still the same browser it's just it just has certain class hooks yeah kind of so that it allows you know your domain to kind of mess with it more touch points for admins honestly I think I really only thing we observed yeah-oh middle

so the question was given the amount of users and following these extensions is there any disclosure concerns as far as like releasing what we discovered in terms here yeah absolutely I would say absolutely we we coordinated all this for google we've been doing this for almost a year and a half now there's many of the ones that we listed and showed here weh-weh old I personally feel there are I mean you've got an affected user pool that's very large I think that I it would be good due diligence to share with you go to gonna take him down before releasing open research my purely my opinion as I stand wearing a gigabyte shirt but I think in general I like to

work with the vendors and solve the real problem before going out and sharing it right responsible disclosure and all that we've worked with Google and stuff before we release our blogs just to make sure that everything's cool and then we're like hey look at this cool stuff we did I'd also add that we were we've taken a step further and we've like volunteered and tried to work with them to do more like general work like here's what we're doing to discover these and like here's our yara cigs and we're trying to encourage them and help them along the path of finding generic things i mean they don't usually need our help they're experts on google but we'd like

to offer it it's good like we've done the research might as well share

the question was is there any commonality between the domain registration and hosting providers use yes yes yeah the domain registration I believe it was all privacy protected my correct yeah but who is the same hosting provider same ASN and it was all in the same class see net blocks alike we shared these indicators on a blog if you want to get like you can go look at the class see net block it's it's pretty prevalent there they actually had an infrastructure that was like up to at one point 30 or 40 like c2 servers it's pretty massive infrastructure for a single campaign in a Chrome extension so you can kind of scale of operations like

it makes sense that they're doing this on a larger scale and they're pretty much all there and we've we've done all the notifications all the different routes you can notify people about all these things one thing missing is actually all of the c2 servers were their server l which is like a hosting provider so you know shared hosting but they they do hosting and in various locations around the world all the c2 was in the Netherlands interesting enough I assume that's because they thought that's a better place to host things just legally analytic assumption yeah yeah I mean no yeah default on the Netherlands yeah we'll see I don't know but awesome I think we'll wrap it up and

if you guys want to talk and we'll be in the back here around the lobby thank you guys for your time