The analysis of the protect_distribution.exe file revealed its malicious nature, which is written in C/C++ and disguised as a benign application and employs various techniques to gain persistence and elevate privileges on the infected system.
It creates scheduled tasks to execute PowerShell scripts, which likely contain malicious code, and leverages taskeng.exe to run these scripts in the correct user context with elevated privileges.
The file contains embedded Python code, suggesting a complex attack vector, and the presence of a specific computer name in the executable indicates a targeted attack, suggesting prior reconnaissance or an earlier stage of infection.
Two PowerShell scripts, ModifyRegistry1.ps1 and ModifyRegistry2.ps1, are designed to install a malicious Chrome extension with ID gomlcolffbhbcmcpofdnlhpadnigikjk, as the first script modifies the registry at HKCU:\Software\Google\Chrome\Extensions to point Chrome to a suspicious CRX file (xl_ext_chrome.crx).
While the second script bypasses potential policy restrictions by adding the extension ID to the Extension Install Allowlist registry key (HKCU:\Software\Policies\Google\Chrome\ExtensionInstallAllowlist). Both scripts log their execution to C:\Windows\Temp\ModifyRegistryLog.txt.
Researchers discovered two Chrome extension files, browser-extension.crx and xl_ext_chrome.crx, that appear to be malicious adaptations of an open-source project for remote code execution. xl_ext_chrome.crx is a more advanced version with a hardcoded command-and-control server for communication and contains code comments in Chinese.
Both extensions маскироваться (maskirovaťsya – masquerade) as a dark theme plugin but request invasive permissions for data access, web content alteration, and script execution. The code analysis revealed functionalities for data exfiltration, including fingerprinting and potential keylogging, with some features still under development.
An attacker uploaded a zip file named distribution.zip containing a decoy PDF file (test.pdf.lnk) and an executable (Acrobat.exe) to an open directory, which linked to a malicious PowerShell script that downloaded and executed a payload from a remote server.
The findings indicate that attackers are exploiting open-source browser extensions to breach networks. While the exact target remains unclear, there is speculation that red teams or cybersecurity researchers, who frequently utilize these tools, might be the primary focus.
However, further investigation is needed to confirm this hypothesis. As the distinction between legitimate and malicious extensions becomes less apparent, comprehending these tactics is crucial for anticipating potential future threats.
An investigation by Hunt uncovered malicious activity on IP addresses, where the first (182.92.116.32) belongs to Hangzhou Alibaba Advertising and hosts an open directory (port 12777) containing browser extensions (potentially for download) and an executable (protect_distribution.exe) distributing those extensions (including a variant based on the Extension-Code-Injector project).
While the second IP (117.72.70.169) from China Telecom is linked to a directory containing a decoy Cobalt Strike manual (test.pdf.lnk) and a compressed file (distribution.zip) with another executable (Acrobat.exe) and a malicious Chrome extension (xl_ext_chrome.crx) containing C2 server information.