Situation overview
Recently, 360 government-enterprise security has received a large number of user feedbacks that advertisements were forcibly inserted when visiting the website, and some of them could not be closed. After analysis, it was found that some malicious browser extensions forced advertisements in normally visited websites. Further traceability found that the source of these browser extensions was mainly carried and installed by malicious downloader software promoted by search. After analyzing these downloaders, we found that malicious downloaders have imitated more than 3,500 software, covering common types such as office, industry, design, and media. After launching, they will silently install malicious extensions to the browser. The extensions are controlled by the user through the cloud. Insert advertisements, hijack e-commerce, navigation, private servers, etc. into other websites visited. In addition, the extension will also collect users' Internet data and even collect user feedback on 360 forums and QQ computer butler forums; all hijacks The rules are issued through the cloud and encrypted with AES and DES.
Sample analysis
Trojan source
Take one of the "Microsoft Office Word 2010 cracked version @377.exe" as an example for analysis:
Counterfeit Word Malicious Downloader Page
First of all, the download page will determine whether the Referer is from the search engine and region before returning to the download link of the Trojan downloader, and the hash value of the Trojan downloader is different almost every time it is requested. Guess is to avoid it. Some automatic crawling and automatic analysis tools.
The malicious page judges the download link of the real-time production process according to the conditions
After the Trojan downloader is downloaded and executed locally, the interface is as shown in the figure below:
Trojan downloader interface
If the analyst directly visits the page, it will return to the download link of the ordinary downloader:
Ordinary programs obtained by directly accessing malicious pages
We extracted other software disguised by the Trojan through scripts, and found that there were more than 3,500 pieces of software, involving more than 40 pieces of office software.
Fake installation package name keywords
The more than 40 office software mentioned above are as follows:
Falsified office software installation package information
Code analysis
1. Check the environment, install a large number of software and Trojan horses, and tamper with the browser homepage
Once the Trojan starts running, it will first obtain the configuration files needed for subsequent work through a remote link
Get the follow-up behavior profile through the link
After obtaining the configuration file, it will first detect anti-virus, commonly used packet capture tools, ARK tools, and even remote desktop, remote assistance and other tools based on the content.
Security analysis tool process name obtained in the configuration file
After detecting the current system environment, a list of download links for programs that need to be promoted will be extracted from the configuration file. In addition to general promotion programs, these programs also contain some other Trojan horse programs.
The promotion link solved in the configuration file
In addition, the Trojan will tamper with the browser home page. The tampered address is one of these links decrypted from the cloud control configuration.
Modify the link list of the homepage in the configuration file
2. Install extensions, hijack websites, steal privacy
After completing the above work, the Trojan will connect to the cloud to silently install malicious browser extension files, hijack navigation, e-commerce, private server and other websites, collect user Internet data and even collect user feedback information from security software forums. The cloud control configuration will be random Change the name, version number and other information of the extension to combat the cleaning of anti-virus software. After completing the above work, the Trojan will connect to the cloud to obtain a large number of malicious browser extension files for silent installation.
A large number of malicious browser extensions
The installed extension code has undergone a lot of obfuscation. The key code used for hijacking is obtained in real time from the cloud and has been encrypted with multiple layers, and even each layer of encryption uses a different encryption key:
Cloud Control Hijacking Rules Encrypted by DES Algorithm
Decrypting one of the cloud control hijacking rules will hijack multiple navigation and search pages
Hijack navigation and search pages
In addition, we also found part of the code for hijacking the e-commerce website:
E-commerce page hijacking code
The hijacking rules of different versions will be slightly different. The picture below shows the code of the hijacking rules decrypted by another version.
Search page end code
Telecom recharge page hijacking code
While hijacking the page, these browser extensions will also try to simulate a mouse click to navigate the page, in order to increase the number of clicks to earn more commissions.
Simulate mouse click to navigate the page
What's more, the code also collects user postings in 360 forums and QQ computer butler forums, as well as file information submitted for sample scans on the VirSCAN.org website. The guess is to collect users to go to these two forums to feedback Trojan horse problems and whether to submit their Trojan horse files for testing.
Monitor access to security forums and multi-engine scanning websites
Return post titles of forums such as 360 and QQ Butler
Return sample information scanned by VirSCAN
Similarly, the Trojan will also return the URL address entered by the user in the browser address bar to its server.
Return the bad URL of the browser address
There is also a version of the extension that will determine the region through cloud control, and insert a 300×300 floating advertisement in the normal access page of users in a specific region.
Insert a floating ad into the page
Safety advice
The majority of users are advised to: 1. Try to choose official websites and other formal channels to install software to prevent your computer from becoming a tool for criminals to control hijacking. 2. If malicious advertisements are inserted into the browser, and when you visit a normal website and automatically jump to a website with a billing link, use security software to check and kill as soon as possible. 3. Turn on the "Automatically disable extensions from unknown sources" in the browser.
I still want to recommend the Python learning Q group I built by myself : 705933274. The group is all learning Python. If you want to learn or are learning Python, you are welcome to join. Everyone is a software development party and share dry goods from time to time ( Only related to Python software development), including a copy of the latest Python advanced materials and zero-based teaching compiled by myself in 2021. Welcome to the advanced and friends interested in Python to join!
IOCs (partial)
HASH
844731eee1196d014169fb756ef7863e950e5ea0a8e80d154b1afe96d8b1829a
CRX IDs
- cgolhhnfballfndeflinfanccpjikdmi
- ankenbdhlppgkfmabdmbfdokacfpnhea
- eopeikmffmlmgleomnimojfpigfjpjab
- kaahkldkddbnidfalodnlbdlbcmkbkfj
- ljljknaclekggpkbbjpbhjacgcngfcgp
- gabccfgplagmjhahelcodjflcpaadldk
- hcppkcennmjaafoffcpjnmpepepcklbg
- kkjjdgmjadhdlcpebcjfppmefkmhjbio
- egnlheliebooaeheaoabldecpmcneehp
- bbpabafaggklfannggfocipmnogbojam
- gadhochknhbcnklhdohlmdeidlfogbad
- comfmchjneommdoncjhagbkidolibgil
- hhkjfpeknmpgghnoojenpkjhginoomjp
- hkoopbbimnmoelagpjeoamgahnccmggc
- kkpidjggcleolfljongchppheeoibeca
- mjegnnlmmolelplmadidfccgbhokmhpo
- lehjanbmddecbhgnnncapflmglinppcj
- figbiejimdgnhdefdigjmcgfbhppcmlh
- jjmnodmnjioloohkajephjnljefnpofk
- npdmbbiopnooephgmjlebjgkkhljambm
- anamdmjnllfgnoamcnlafmhemfcppbbc