Were you one of the unlucky 3 million users who downloaded malicious browser extensions that were discovered last year? Google and Microsoft shut them down, but the extensions still did some damage. Security firm Avast is providing further details of these browser extensions and what they were up to to update our earlier report.
CacheFlow’s Intensions
These malicious browser extensions were included in a campaign referred to as CacheFlow in late 2020 by Avast. Both Google and Microsoft removed the threats by December 18 after being notified of the dangers.
The CacheFlow extensions tried to hide the command and control traffic using a Cache-Control HTTP header of analytics requests. It’s believed to be a new technique disguised to look like Google Analytics traffic. Along with hiding the malicious directive, Avast believes the authors of the malicious extensions also wanted access to the analytics requests.
The majority of the downloads of the malicious extensions came from Brazil, Ukraine, and France. Avast first learned of the browser extensions through a Czech blog post following up on one of the extensions and realized it extended further to multiple extensions.
The security firm also realized, after reverse engineering the obfuscated javascript, that along with browser redirection, the hackers were also collecting users’ data, including all their search engine queries.
The hackers were quite crafty to avoid being outed. They were able to avoid infecting users likely to be web developers either through the extensions or by learning whether the user had accessed locally-hosted websites. Additionally, malicious activity was avoided for three days after the download to not alert anyone of the hackers’ true malicious intentions. The extensions would also deactivate if browser developer tools were opened or the user Googled one of the malware’s domains.
Exposing the Browser Extensions
CacheFlow, though, was active for years, since at least 2017. It was silently hiding all that time through its stealth efforts. If you’re interested in learning exactly how CacheFlow worked and how Avast busted it, check out the security firm’s blog post.
Avast provides this detailed look into CacheFlow because it’s the company’s belief that “understanding how these technologies work will help other malware researchers in discovering and analyzing similar trends in the future.”
It’s for similar reasons that I’m covering this news here. We don’t want anyone to fall victim to this, and the more everyone knows what hackers are capable of, the less they’ll get away with.
Cybercriminals are omnipresent, though. Staying on top of their activities requires constant attention. Take a look at how the work from home trend has led to an increase in cyberattacks and fake collaboration apps.
