Lockbits 11 Posted June 2, 2021 Posted June 2, 2021 Hello guys, I'm writing because we have a customer with a Chrome extension that is causing many connections to malicious websites. How can we determine which extension is the cause of those connections so we can send it to ESET's Labs in order to add a detection? This customer is also using EEI but the executable is Chrome.exe and we can't find which extension is causing this behavior. Regards.
itman 1,799 Posted June 2, 2021 Posted June 2, 2021 12 hours ago, Lockbits said: How can we determine which extension is the cause of those connections so we can send it to ESET's Labs in order to add a detection? I assume you are aware of the "trial and error" method. Disable all extensions. Then enable them one by one until you observe the behavior described. Also and surprisingly, someone in the Chrome forum stated Eset's SysRescue is good at detecting malicious extensions: Quote ESET offline USB rescue environment had one too, but thats alot of manual work. IT detects injected pics, fejk chrome database tmp files and cleans extensions. https://support.google.com/chrome/thread/57201010/is-there-any-tool-that-can-scan-chrome-for-malware-and-or-reset-change-bad-settings?hl=en
Lockbits 11 Posted June 2, 2021 Author Posted June 2, 2021 (edited) Hello, I finally asked the customer to send all extensions located at C:\Users\[login_name]\AppData\Local\Google\Chrome\User Data\Default\Extensions to us. I checked one by one using extension's ID and visiting https://chrome.google.com/webstore/detail/extension_id (replace /extension id with valid extension id) until I found three suspicious and discarded others. One of the three was indeed confirmed as malicious by ESET Labs: The detection for this threat will be included in the next update of detection engine, expected version: 23400. 2.9_0.crx - JS/ExtenBro.Agent.EE trojan In case anyone need to report suspicious extensions that's a good approach. Edited June 2, 2021 by Lockbits
itman 1,799 Posted June 2, 2021 Posted June 2, 2021 (edited) The bottom line is this. There are and have been so many malicious Chrome Store extensions, any corp. admin that lets employees install these extensions "needs to be shown the permanent exit door." Browser extensions need to vetted just like any other installed software on corporate devices; if that is even being done, by standalone device testing not connected to corp. network. Only vetted extensions should be allowed installation on devices attached to a corp. network. Edited June 2, 2021 by itman LesRMed 1
Recommended Posts