SOC202 - FakeGPT Malicious Chrome Extension - EventID: 153 - Writeup/Walkthrough

Hello guys,

In this LetsDefend Alert we'll be investigating a malicious Chrome extension.

• Think you are stuck? maybe you aren't. All you need is patince and understanding of:
• How to use the letsdefend investiagtion UI
• Know VirusTotal, Chrome Stats and CXRcavator
• Know Google OSINT
• Tried them all and still feels stuck? Lets continue:

Browser extensions can be a big security risk, primarily because social cues make them seem much less harmful than full-fledged apps (The extensions come from a known store operated by Chrome, they're smaller and less flashy, they "can't" operate on their own, etc.), making people more comfortable installing them without much scrutiny. This is despite the MITRE T1176 - Browser Extensions entry (which I'm sure everyone in your org has already read, right?).

So, let's start with LetsDefend's SOC alert:

EventID: 153

Event Time: May 29, 2023, 01:01 PM

Rule: SOC202 - FakeGPT Malicious Chrome Extension

Level: Security Analyst

Hostname: Samuel

IP Address: 172.16.17.173

File Name: hacfaophiklaeolhnmckojjjjbnappen.crx

File Path: C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx

File Hash: 7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669

Command Line: chrome.exe --single-argument C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx

Trigger Reason: Suspicious extension added to the browser.

Device Action: Allowed

We know this is an extension-based alert, not only because of the rule name (let's say in real life it would be less specific) but also because of the file's .CRX extension.)

The truth of the matter is that this is very similar to most other alerts; you just need the right tools that are focused on Chrome extensions.

But we'll start with the grandmaster, VirusTotal:

As we can see, this is a CRX file that was last analyzed 6 days ago (it's best practice to "reanalyze" when encountering a suspicious file) with a size of 325.09 KB (not unusual in comparison to Grammarly's 393.2 KB).

This is one of those moments when you need to understand what VT is and what it isn't. VT doesn't tell if something is legitimate, only that no vendor in its list has flagged this file as malicious.

The lack of vendor focus on Chrome extensions could be a major reason for not detecting this malicious CRX file, but let's see what VT can still tell us:

The name of the extension is not unusual; this is a normal format for CRX files using the extension's ID rather than the showcased name. efaidnbmnnnibpcajpcglclefindmkaj, for example, is the ID of Adobe's extension when downloaded as a CRX.

Under the BEHAVIOR tab, we can see the file is placed in a few Sigma and IDS rules made by the community. Now, this could be a result of this file becoming 'infamous' thanks to LetsDefend, but ignoring that, this is a good indicator that this is most likely not something you want on your station or in your environment.

The rest of the BEHAVIOR tab is full of useful information, but it should be looked at from a bird's-eye view. As Analysts, we shouldn't get bogged down with deep analysis but rather quickly figure out what happened and recommend further action (which could include deep analysis).

I have run the hash through Hybrid-Analysis, Filescan, and Triage to see if something interesting will come up, but again, as an analyst, I mustn't waste time indulging my curiosity and focus on providing protection to my client.

Chrome-Stats & Crxcavator are tools designed for Chrome extension information; checking them will also be beneficial.

Using these tools, we can gather more information on the extension.

Let's ignore the red writing at the top. We see an extension made by an unknown developer using a Gmail email account "related" to a growing trend... very legit... add to this the Risk Impact and likelihood and the picture becomes clearer.

Crxcavator has been a bit troublesome lately, but when it works, it's a good place to check for further information.

And of course, Google search it, read the reviews, and look for the developer and the email account, extension and the attack vector through OSINT.

Without seeing anything malicious yet, we can still say this is fishy (if not phishy...).

Let's continue going through the alert details:

The command line: "chrome.exe --single-argument C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx" is not suspicious in itself but it does tell us that the installation was successful.

Investigating the workstation, we don't see much to work with:

Quickly going through the logs shows nothing too weird.

Let's put the IP in the log management, putting the source IP in the search:

All of these sites and IPs should be investigated. You can save some time by running them through CyberGordon:

Well... looks fine to me!

While the domains are reported for malware, all the IPs came back as legitimate and related to AWS, but remember that IPs change all the time and they are in the lowest section of the pyramid of pain.

After downloading the extension, it communicated with the two IPs. This is not great.

We now know that the user has downloaded a malicious extension, and although we have yet to see any suspicious activity, this must be remediated.

Note the playbook questions; I'll give you the question and answer separately to give you the chance to think about it and see what you think.

Answers:

Recommendations/Actions:

1. Depending on your organization's policy - after checking for compromise of other system (through looking for the hash/ip/domain) in the overall environment, contain the station if this is a singular case. If not, wait until understanding the full scope. (this action should be quick, there is not need to invest too much time here when we know there is malware on a station, on the other hand it is important to know if the attacker could execute a devastating payload on another station).
2. Remove the extension and clear the cache.
3. Check for any newly installed apps or registry changes.
4. Enforce a password reset and enable MFA if not enabled already (MFA should really be a go to recommendation).
5. Inquire with the user and remind them of the information security policies and best practice.
6. Consider requiring approval for new extensions through the security department and/or implement a whitelist.

Thank you to LetsDefend for reminding me to make this guide, I am truly honoured and appreciate your commitment to help your students.