Starting in or before July 2020, a malware operator began mobilizing new operations to infect users for a profit-generating scheme: selling fraudulent likes on social media. This operator escalated their infected user base this fall by purchasing and infecting well-rated Chrome extensions with over 350k combined users from their original creators. This post will clarify what happened, briefly explain how the malware works, and inform compromised users on what to do. The claims in this post are backed by my research into the operator, credible evidence from victims of this malware, and private conversations I have had with the original extension authors.

It’s important to understand that the guidance in this post is only known to be valid for these extensions on Chrome, and if you suspect another extension you use has been compromised, seek help from a qualified security professional. Additionally, this is a living document, it may be updated if or when new infections are discovered.

With that out of the way, any users of these extensions within the impacted timeframes should be considered compromised:

User-Agent Switcher

  • Originally released by eSolutions Nordic AB, and sold to an anonymous third party
  • Users during infected period: up to ~100k
  • ID: clddifkhlkcojbojppdojfeeikdkgiae
  • Infected versions: 2.0.0.9, 2.0.1.0
  • Infected timeframe: August 28th, 2020 - October 15th, 2020

Nano Adblocker

  • Originally released by Hugo Xu, and sold to an anonymous third party
  • Users during infected period: up to ~182k
  • ID: gabbbocakeomblphkmmnoamkioajlkfo
  • Infected version: 1.0.0.154
  • Infected timeframe: October 15th, 2020 - October 16th, 2020

Nano Defender

  • Originally released by Hugo Xu, and sold to an anonymous third party
  • Users during infected period: up to ~260k
  • ID: ggolfgbegefeeoocgjbmkembbncoadlb
  • Infected version: 15.0.0.206
  • Infected timeframe: October 15th, 2020 - October 16th, 2020

Additional Suspects

Other extensions previously owned by eSolutions are also being investigated, and have allegedly been removed from the Chrome Web Store after being infected with similar malware. Please see the How Can I Help? section if you have additional information about those extensions or other extensions which may be compromised by this specific strain of malware. To learn more about how these extensions operate, go to the What Did These Do? section.

What Happened?

In brief, a malware operator has started approaching developers of popular Chrome Web Store extensions, which have:

  • Permission to read and modify all data on all sites (ex. adblockers, development tools).
  • A long malware-free existence (years).
  • High ratings (generally, >4.0).
  • Hundreds of thousands of active installations.

They approach these developers as an anonymous party - generally as a student or a developer just starting out - and ask to purchase rights to the extension. Sometimes those are full rights, and the malware operator assumes full control of the extension (promising to maintain it), other times they negotiate a deal where they only buy the rights to the existing extension and userbase, and allow the original author to upload a new copy of their extension.

Once control of the extensions is handed over to the developers, they load a whatever the current version of their malicious payload is, and all users who have these extensions are infected as Chrome automatically updates them - rolling out malware to hundreds of thousands of users. Given the similarities between both of these infections

What Did These Do?

I’ll provide a brief technical overview of the malware’s operation, but if you want to skip this section, the key takeaways are that this extension can:

  • Steal your header information for certain sites (including session tokens, which are used to authenticate you). It doesn’t do this by default for all sites, and has only been observed by me personally to do this for Instagram, but this can be done for any site the malware operator chooses at any time. So, this is quite the danger.
  • Force your browser to go to specific websites (generally, to like or follow specific content using your account), and report that information to the malware operator. This can also be dangerous if sensitive data was accessed (ex. browsing to your messages on Facebook), but the malware operator hasn’t been observed doing so.

Ok, that’s the TL;DR - you can move to the How Can I Protect Myself? section. Now for the nerds: this payload is very lean but has been maturing quickly - within two months has expanded to steal request data as well as implement basic evasion techniques - and is unique because it uses modern web technologies (WebSockets) and high-level libraries (Socket.IO) for efficient, low-footprint command-and-control.

After the update is complete, a background tasks starts, and quickly establishes a WebSocket to a server run by the malware operator (the command-and-control server), which sends events down to your browser. Those events are used by this extension to control your browser, and does two core things:

  • First, the author can send a fetch event (this is called different things in different extensions, such as createFetch or getNewList) - this event forces your browser to browse to a specific location, such as https://instagram.com, and sends the response body back to the command-and-control server. So if it browsed to this page, the malware operator read what you are reading right now.
  • Second, the author can send a header event (again, called different things - such as handlerData or getNewListData) containing a domain name, this instructs the extension to intercept requests to that domain name and also send those to the command-and-control server. For example, if the malware operator sends header event with www.instagram.com, all requests that either you or the extension make to https://www.instagram.com will also have the request information sent to the malware operator. This is very dangerous because it will usually contain the session token you use for a given website, granting the malware operator access to that session and allowing them to browse as if they had logged in as you.

The quickest route to compromise your account on nearly every site you use is simple. Say the malware operator wanted access to your PayPal - first, they would send a header event to tell their extension to steal the request headers for any request going to www.paypal.com. Then, they would send a fetch event instructing the extension to fire a request to https://www.paypal.com/dashboard/ on your behalf. This would generate two messages sent to the server:

  • One containing the request headers, including your session token (which keeps you logged in to PayPal).
  • Another containing the response body, including the dashboard information for your account, potentially including your current PayPal balance.

And that’s it - they have almost-complete access to any account you are logged in to via session theft. In addition, use of request interception could steal user password from requests, but only if the user was performing a manual login, and the author had already sent a header event for that site. So this is considered possible, but unlikely.

For deeper technical reading, a technical analysis on User-Agent Switcher is in progress here including traffic logs, source code dissection, and more. For people who want to investigate on their own, I have also archived the malicious extensions here alongside the prior (nonmalicious) versions. Nano Adblocker and Nano Defender have a couple extra bells and whistles which I am analyzing now, but appear to only be detection evasion and weak obfuscation attempts. This page will be updated as more information is confirmed.

How Can I Protect Myself?

Unfortunately, there’s little that you could have done to protect yourself from these extensions outside of “not having them installed.” Using a password manager or 2FA protects you from unauthorized logins (ex. a Russian hacker without your Yubikey can’t create a new session), but neither protects you from an existing session being stolen. First, focus on the sites that are known to be impacted:

  • If you were logged in to Instagram, you should change your password here, which will also log you out of all sessions. To safe, log out and log back in afterwards to clear the session you are currently using.
  • If you were logged in to Facebook, you should change your password first using this help, then log yourself out of all sessions using this help, then log out and log back in to close the session you are currently using.

There have been concerns raised about this extension abusing Twitch, GitHub, and webmail accounts, though I have not been sent credible evidence to support these claims. If you see attempted logins to services you are concerned about, ensure you are using a random unique password and 2FA where possible.

You might be wondering: didn’t you say that all sites could have their session tokens stolen? Yes. We don’t know for sure if other sites were impacted, since this behavior was 100% controlled by the command-and-control server. To our benefit, the malware operator seems to be focused on their social media like business, probably because money coming in from that is plentiful (100 likes for $1 as the going rate for Instagram, I’ve observed ~20 likes/hour/browser, you do the math!) and needs to be minimally laundered compared to stolen funds or proceeds from ransomware.

But for risk-averse users, you could take action to ensure your critical accounts are protected (ex. other social media, banks, investment accounts), as well as any you need for business or gainful employment (ex. webmail, corporate logins, file sharing or backup sites) by performing similar actions: terminate your session, change your password, and ideally enable 2FA to be sure you are safe.

How Can I Help?

There are a couple ways that you can help elevate the security of others, both for this specific compromise (and my work researching the malware operators), as well as advocating for security in browsers and browser extensions.

Information Sharing

I have a very comprehensive view of User-Agent Switcher because there was a lot of time between it being discovered as malicious. However, I am still assessing what the scope of operations for malware in Nano Adblocker and Nano Defender.

If you have credible information that you can share about the malware operator, or about what the malware did with access to your browser, please email me. How do you determine if information is credible?

  • Look for suspicious actions that were taken using your accounts. Account login attempts are suspicious, but you would have had to perform the login yourself while infected with this malware in order to divulge your password or 2FA codes (in the request headers). If you know you didn’t log in during the time frame you may have been infected, those login attempts are currently understood to be not related to this event.
  • Look for logs and other history information - if you use a transparent proxy (ex. Squid) or your traffic is intercepted for security, I would be interested in any domains or requests you can find which are suspicious. When reporting this, please include as much information as possible, without divulging personal or sensitive information, history, or requests.
  • Look for other malware on the Chrome Web Store using WebSockets as command-and-control. There are other identifying factors for this group (Turkish affiliation, -zzz ‘obfuscating’ strings, use of Namecheap and Cloudflare for fronting infrastructure, strong control flow similarities), but that is the most-readily-detectable factor (as the Socket.IO client needs to be added to infected extensions, and is quite large even when minified) even if it’s not the highest signal.

Advocating for Safety

First, I want to ask that impacted people please stop harassing both developers. eSolutions and Hugo Xu have expressed (privately and publicly) that they deeply regret these transactions, and that they never meant to sell their users into this infection. Both parties take pride in their work, which has now been violated by someone who would take advantage of them and the community they’ve built for nefarious purposes.

While it was naive of the original authors to sell these extensions to an unknown third party, they are the victims in this situation as well. Many people who have reached out to me are frustrated that there was nothing they could do to protect themselves, and I absolutely sympathize with that. It’s important to understand that users were following best practices when using these extensions - installing highly-rated extensions from developers that they could trust. Users shouldn’t have to compile and manually install specific versions of the extensions they use in order to know they are going to be kept safe, or check weekly to make sure the extension is still run by the original developer.

The responsibility for ensuring that extensions distributed through the Chrome Web Store are not going to harm Chrome users should lie principally on Google’s shoulders. In light of these major malware attacks, as well as rampant fraud on the Chrome Web Store, users should be demanding more security assurances from the “most secure browser in the world” (source). There are many ways browser vendors could mitigate these issues:

  • Prevent extensions from removing the Origin field on outbound requests, making extension-based fraud easily detectable by webservers, reducing the value of this malware operator’s methods to zero.
  • Invest in higher security standards and analytics for distributed applications, including stronger focus on user activity simulation, and retesting occasionally after updates have been approved to ensure server-controllable behavior hasn’t changed.
  • Inform users when extensions make outbound requests to a new site or server; or more rigorously validate the security of the extension if that is detected in live testing.
  • Provide a separate security permission which must be requested for extensions to make independent requests to servers (ex. when initiating a WebSocket).

With these changes - or a combination thereof - malware operators would not be able to mass infect extensions as readily, users would have more fine-grained understanding of the impact of extensions to their security, and browser vendors could increase trust in their products. Hopefully, all to reduce headlines like this.