Chrome Extensions Spreading Through Facebook Caught Stealing Data

The Malware Kill Chain

The Google Chrome extension installation is one of the most common ways cyber-criminals use to spread malware.

Although Google has removed all the malicious extensions, if you have installed any of them, you should immediately uninstall it and change passwords for your Facebook, Instagram and other accounts where you are using the same credentials.

List of Malicious Chrome Extensions

Here’s the list of the malicious extensions:1. Nigelify2. PwnerLike3. Alt-j4. Fix-case5. Divinity 2 Original Sin: Wiki Skill Popup6. Keeprivate7. iHabno

Once the extension is installed on the Chrome browser, a malicious JavaScript is executed that downloads the initial configuration from the C2.

Configuration File

Afterwards, a set of requests is deployed, each with its own purpose and triggers.

Communication Protocol

The malware depends on Chrome and runs on both Windows and Linux.

Malware Capabilities:1. Data Theft2. Facebook Propagation3. YouTube Fraud4. Cryptocurrency Mining5. Persistency @Google