DEV Community

a.infosecflavour
a.infosecflavour

Posted on

LetsDefend.io | SOC202- FakeGPT Malicious Chrome Extension

#cybersecurity #writing #community

Hello 👋

Let's have a taste of LetsDefend.io challenges. Today we're studying SOC202- FakeGPT Malicious Chrome Extension. 🕵️

As it can be deducted from the alert, here are details about the event:

  • Severity => High

  • Date => May, 29, 2023, 01:01 PM

  • Rule name => SOC202 - FakeGPT Malicious Chrome Extension

  • EventID => 153

  • Type => Data Leakage

  • Hostname => Samuel

  • IP => 172[.]16[.]17[.]173

  • File name => hacfaophiklaeolhnmckojjjjbnappen.crx

  • File path =>
    C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx

  • File hash =>
    7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669

  • Command executed =>
    chrome.exe --single-argument C:\Users\LetsDefend\Download\hacfaophiklaeolhnmckojjjjbnappen.crx

  • Device action => allowed

extensions

We need to check:
-> the reputation of the file hash
-> suspicious processes
-> commands executed
-> network connections
-> browser history
-> log entries indicating C2 communication

If we confirm the alert is true positive, then the endpoint will be immediately contained. Also, this means the event resulted into an incident.

Investigation

As it can be observed in the alarm details, the endpoint's hostname is Samuel. The IP address is 172[.]16[.]17[.]173. The execution was allowed, which means the .crx file was not quarantined. I proceed with checking the reputation of the given hash and then start looking for evidence of execution.

File hash check

According to VirusTotal, the hash is not flagged by any of the AV vendors.
However, the community score is negative 5. This represents an evidence which suggests the file is malicious.

VirusTotal.

Suspicious processes

The alarm was triggered on 29th of May 2023, at 01:01 PM. I am looking for processes running around the indicated time.

These are all the processes running before, during and after the event:

processes_running

One of particular interest is chrome.exe.
ProcessID is 5756. Its parent process is OpenWith.exe, whose ProcessID is 7074 which in turn was executed using explorer.exe (ParentProcess). The fact that it was executed with explorer.exe means it's an action performed by the user.

I researched about OpenWith.exe and discovered it's a legitimate executable, invoked when a user tries to open a file with an extension which is not linked to a specific program. Also known as Pick an App, it typically runs from %windir%\System32\OpenWith.exe (source: Medium).
Malicious actors often rely on masquerading to evade detection, so checking the name alone is not enough. We need to see where it runs from and look for suspicious commands. Based on the process details, the process is indeed legitimate, because it ran from its usual location.

openwith

Moving to chrome.exe, it also ran from its legitimate location: C:\Program Files\Google\Chrome\Application\chrome.exe". The command line indicates a chrome extension as being run from the user's desktop: -- single-argument
C:\Users\LetsDefend\Desktop\hacfaophiklaeolhnmckojjjjbnappen.crx.

processes

suspicious_process

Network action

After the extension execution, the endpoint communicated with 3 IPs:

  • 52[.]76[.]101[.]124
  • 18[.]140[.]6[.]45
  • 172[.]217[.]17[.]142

network

I conducted a research on VirusTotal and discovered the IP was not flagged as malicious by any of the vendor. Checked the Community tab and found references to scam entities.

IPCommunity

Looked also on AbuseIPDB and discovered the IP was not found in any database.

database

The hostname indicates it's an Amazon EC2 (Elastic Cloud Compute) instance, a virtual machine running on Amazon. The associatedregion is Singapore.

Checked the next IP. Virus Total doesn't indicate any vendor which flags the IP as malicious. However, the Community tab indicates the same scam references.

community

The IP was not found on AbuseIPDB. It is another EC2 instance running in Singapore.
abuseipd

So far, it's discovered the endpoint communicated after the event with two EC2 instances located in Singapore. While no entry indicates these are suspicious, the community details point them as being a scam.

Verified the reputation of the 3rd listed IP. No AV vendor flags it as malicious. The Community tab contains references as being associated to malicious activities.

IP3

Checked it on AbuseIPDB and found it was reported 10 times. It is mostly associated with Probe Scanning activities. Also used in DDOS attacks.

abuseipdb10

community

Browser history

browser

According to the browser history, the user triggered the download of the extension at 13:01:44. The warnings were ignored. At 13:02:01, the extension was opened. The use accessed hxxps[://]chat[.]openai[.]com which is a legitimate activity. After that, most likely, the purpose of authenticating into OpenAI was to establish the link with the malicious extension.

Log investigation

Checking the log entries associated with the affected IP indicate various outbound and inbound connections are discovered:

source

It can be observed the endpoint established a connection with version[.]chatgpt4google[.]workers[.]dev

It is flagged as malicious by 3/94 vendors.

entries

dev

Next check indicates another suspicious destination host (www[.]chatgptforgoogle[.]pro)

host1

It is flagged as malicious by 3/94 AV vendors, with a community score of -1.
VT

Another proxy log entry indicates a connection to www[.]chatgptgoogle[.]org. A check on Virus Total indicates it's been flagged by 10/94 AV vendors. Also, the community entry relates to same info found earlier when investigating the IP in Virus Total.

next_log

VirusTotal_result

The final IP points to a connection to chrome[.]google[.]com.

raw_log

It can be noticed that all the connections to the external IPs were established through port 80, corresponding to protocol HTTP, which is insecure.

Based on the findings associated to the mentioned IP, the endpoint established communications with C2 infrastructure.

Containment

The endpoint is immediately contained.

containment_q

Endpoint contained:

endpoint_c

Indicators of Compromise:

  • SHA-256 hash: 
7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669
Enter fullscreen mode Exit fullscreen mode
  • Malicious IPs: 
52[.]76[.]101[.]124
18[.]140[.]6[.]45
172[.]217[.]17[.]142
Enter fullscreen mode Exit fullscreen mode
  • Malicious domains: 
www[.]chatgptgoogle[.]org
www[.]chatgptforgoogle[.]pro
version[.]chatgpt4google[.]workers[.]dev
Enter fullscreen mode Exit fullscreen mode
  • Malicious URL: 
hxxps[://]chrome[.]google[.]com/webstore/detail/chatgpt-for-google/hacfaophiklaeolhn
mckojjjjbnappen
Enter fullscreen mode Exit fullscreen mode

Recommendations

  • Remove the malicious extension
  • Re-image the affected endpoint
  • Check for the organizational widespread
  • Provide training to the affected user in relation to the usage of external software
  • Establish technical controls to prohibit the usage of un-approved browser extensions
  • Blacklist the malicious IPs, domains and URL

Top comments (0)