Summary:
This article discusses the process of acquiring and analyzing malicious browser extensions that circumvent Google Chrome’s Manifest V3. It outlines methods for obtaining samples using free resources, cryptanalysis techniques for decryption, and the identification of indicators of compromise (IoCs) related to these extensions.
Keypoints:
- The article provides a walkthrough on acquiring malicious browser extension samples using free resources.
- It discusses the process of searching for similar malware samples based on unique features and directory structures.
- Techniques for decrypting payloads from malicious scripts are explored, including the use of PowerShell and Python.
- The article emphasizes the importance of cryptanalysis in understanding malware behavior and functionality.
- It highlights the evolution of malicious browser extensions and their increasing complexity over time.
- Indicators of compromise (IoCs) are identified, including domains and addresses used for command and control (C2) operations.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Data Encrypted (T1022): Encrypts data to prevent detection and analysis.
- Obfuscated Files or Information (T1027): Uses obfuscation techniques to hide the true nature of files or information.
IoC:
- [domain] root-head[.]com
- [domain] gzipdot[.]com
- [domain] dot4net[.]com
- [domain] true-lie[.]com
- [domain] true-bottom[.]com
- [domain] x504x[.]com
- [domain] size-infinity[.]com
- [domain] dark-confusion[.]com
- [domain] catin-box[.]com
- [domain] you-rabbit[.]com
- [domain] opensun[.]monster
- [domain] good2-led[.]com
- [domain] wryrwhte[.]monster
- [domain] ps1-local[.]com
- [domain] ps2-call[.]com
- [domain] ff-rrttj[.]com
- [domain] tchk-1[.]com
- [domain] two-root[.]com
Full Research: https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-genesis-market/