Re: Malicious Chrome Extensions

["Stanwyck, Carraig - ASOC, Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>]

Good Evening,

Another quick update.  We identified more traffic with this rule from yet another domain on the list of Viacheslav 
Zinkevich registered sites (whywhat.top).  For anybody not tracking, I've attached the list of domains again.  This is 
now the 5th domain registered by this guy that's associated with malicious chrome extensions.

Regards,
Carraig Stanwyck
USDA | OCIO | ASOC


From: Stanwyck, Carraig - ASOC - Kansas City, MO
Sent: Thursday, August 25, 2016 1:26 AM
To: emerging-sigs () lists emergingthreats net; snort-sigs () lists sourceforge net
Subject: RE: Malicious Chrome Extensions

I just wanted to follow up...

The published rule has already caught another malicious extension from a different domain that I included in the 
original text file of suspected domains, so it appears my suspicious were correct.  That said, I still have little 
information.  We have identified 3 infected hosts, but were only able to retrieve the extensions list on one of the 
machines.  Once the extensions were cleared, the traffic stopped.  That said, I haven't identified the malicious 
extension.

Installed Extensions on Infected Host:

-          Amazon Assistant for Chrome

-          Ambient Aura

-          Chromarks - Chrome Bookmarks Menu

-          Extensions Manager (aka Switcher)

-          Fair AdBlock (by STANDS)

-          Fair Adblock App (by STANDS)

-          Fair Ads (by STANDS)

-          Google Cast

-          Google Chrome to Phone Extension [DEPRECATED]

-          Google Contacts Launcher

-          Google Docs Offline

I haven't found anything malicious on these when researching them, but your move may vary.  Deleting them all stopped 
the malicious traffic.

Regards,
Carraig Stanwyck
USDA | OCIO | ASOC



From: Stanwyck, Carraig - ASOC - Kansas City, MO [mailto:Carraig.Stanwyck () asoc usda gov]
Sent: Friday, August 05, 2016 7:32 AM
To: emerging-sigs () lists emergingthreats net<mailto:emerging-sigs () lists emergingthreats net>; snort-sigs () lists 
sourceforge net<mailto:snort-sigs () lists sourceforge net>
Subject: [Snort-sigs] Malicious Chrome Extensions

Good Morning,

I have identified what I am almost certain is traffic from malicious chrome extension infections on our network.  The 
IOC in my case is hxxp://brainlog.top, which has the same registrar (VIACHESLAV ZINKEVICH) as 100+ other suspicious 
domains (attached), including 4chan-plus.com, which has a reddit PSA 
(https://www.reddit.com/r/chrome/comments/4caqdv/psa_remove_4chan_plus_its_inserting_malware_into/) for the same 
activity we're seeing here.

Proposed rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious Chrome Extension"; 
flow:established,to_server; content:"page?url="; http_uri; fast_pattern; content:"user"; http_uri; content:"iframe="; 
http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:123456; rev:1; )

It'd be pretty easy to add some pcre into it if necessary, the patterns are consistent.

Example URIs (2 separate infections, delineated by the string following "user"):
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.groupon.com/deals/k-f-custom-car-detailing&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerch.com/&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=https://www.indiemerchstore.com/&iframe=
/user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.full30.com/&iframe=
/user/e43tohsduglaic1qnk5896fmyzjrbv0p/39344/page?url=https://www.google.com/&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://l.instagram.com/?e=ATNv0z315R1OmkaGMEZAoaq-DKaekIneFy9u3I5gbf9ileNm211AFFAd&u=http%3A%2F%2Fwww.mixcloud.com%2Fdjhomeschool&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://money.cnn.com/2016/08/02/news/economy/donald-trump-hillary-clinton-facebook/index.html&iframe=
/user/bnd17qvgs0r4693lekp8mj52hwazxocf/318782/page?url=http://www.cnn.com/2016/08/03/europe/leopard-cubs-twycross/index.html&iframe=

Thanks,
Carraig Stanwyck
USDA | OCIO | ASOC
@C4RR41G





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized 
interception of this message or the use or disclosure of the information it contains may violate the law and subject 
the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the 
sender and delete the email immediately.

Attachment: viacheslav_zinkevich_sites.txt
Description: viacheslav_zinkevich_sites.txt

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!