Be Aware of Malicious Chrome Extension

Author Avatare

Author: nausheen

Reference : Google

How can some website mislead you?

I came across a web page that seemed very toxic and tried to force me into downloading some shady browser extension.The web page will then automatically show in fullscreen mode and is a pain to get out.

Once installed it will show a fake “Thank you” message on http://opurie[.]com/thank.php?pubid=&clickid=randomdata=&country=FR&n=w2
Apparently, it uses compromised WordPress websites and some black SEO to get the malicious page up in the Google results, with content mostly ripped from Twitter.

The folder names are the IDs of installed extensions (not necessarily active), the ID of this “Opurie” extension is mcgibaolmjnmcmfofkfbacdmnejmdomn. Chrome extensions are using a manifest.json file to describe the permissions of the app.

According to the chrome developer documentation, it can use the API to observe and analyze traffic and to intercept, block, or modify requests in-flight. Also it can query and modify cookies of ALL WEBSITES (http://*/* & https://*/*). I still wonder why wildcards permissions like that don’t get automatic manual review before approval 🙄 anyway…

The goal, I suppose, is to get more traffic and redirect you on specific keywords (haven’t really tried) and serve you with more ads. I just stumbled upon this malicious extension this morning and haven’t had the chance to look more into it. Feel free to OSINT the URLs and dig more into the fraudulent network 😉

IOCs - Stage 1

www.employmentskillscenter[.]org/84d5/hareov.php
www.facioconsulting[.]in/c5c7/hareov.php
www.parkwestceramics[.]com/624082/hareov.php

Malicious extension at
https://chrome.google[.]com/webstore/detail/opurie/mcgibaolmjnmcmfofkfbacdmnejmdomn (copy here, password = infected)

Fraudulent network
startupfraction[.]com
search.feedvertizus[.]com
go.querymo[.]com
opurie[.]com