Jump to content

Recommended Posts

Posted

Hello guys,

I'm writing because we have a customer with a Chrome extension that is causing many connections to malicious websites.

How can we determine which extension is the cause of those connections so we can send it to ESET's Labs in order to add a detection? This customer is also using EEI but the executable is Chrome.exe and we can't find which extension is causing this behavior.

Regards.

Posted
12 hours ago, Lockbits said:

How can we determine which extension is the cause of those connections so we can send it to ESET's Labs in order to add a detection?

I assume you are aware of the "trial and error" method. Disable all extensions. Then enable them one by one until you observe the behavior described.

Also and surprisingly, someone in the Chrome forum stated Eset's SysRescue is good at detecting malicious extensions:

Quote

ESET offline USB rescue environment had one too, but thats alot of manual work. IT detects injected pics, fejk chrome database tmp files and cleans extensions.

https://support.google.com/chrome/thread/57201010/is-there-any-tool-that-can-scan-chrome-for-malware-and-or-reset-change-bad-settings?hl=en

Posted (edited)

Hello,

I finally asked the customer to send all extensions located at C:\Users\[login_name]\AppData\Local\Google\Chrome\User Data\Default\Extensions to us.

I checked one by one using extension's ID and visiting https://chrome.google.com/webstore/detail/extension_id (replace /extension id with valid extension id) until I found three suspicious and discarded others.

One of the three was indeed confirmed as malicious by ESET Labs:

The detection for this threat will be included in the next update of detection engine, expected version: 23400.
2.9_0.crx - JS/ExtenBro.Agent.EE trojan

In case anyone need to report suspicious extensions that's a good approach.

Edited by Lockbits
Posted (edited)

The bottom line is this.

There are and have been so many malicious Chrome Store extensions, any corp. admin that lets employees install these extensions "needs to be shown the permanent exit door." Browser extensions need to vetted just like any other installed software on corporate devices; if that is even being done, by standalone device testing not connected to corp. network. Only vetted extensions should be allowed installation on devices attached to a corp. network.

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...