Yuanjing GuoAssociate Software Engineer
Tommy DongSr Princ Software Engineer
On May 8, we discovered two extensions for Google’s Chrome web browser that secretly perform coin mining after they are installed. Both extensions were found on the official Google Chrome Web Store.
One of the extensions, called 2048, is a version of a popular math-based strategy game. The extension was published in August 2017 and has over 2,100 users, which suggests the publisher has made some profit using the CPU cycles of those users to mine for cryptocurrency.
Figure 1. Strategy game 2048 secretly mines for cryptocurrency
Figure 2. The 2048 extension has over 2,100 users
The other extension, Mp3 Songs Download, claims to be an MP3 downloader but just redirects the user to an MP3 download website when they click on the extension button. The MP3 download website secretly launches a coin-mining script in the background. The Mp3 Songs Download extension was published in June 2017 and has around 4,000 users.
Figure 3. The Mp3 Songs Download Chrome extension has almost 4,000 users
Figure 4. Mp3 Songs Download asks users to click on icon that redirects them to a website which runs a coin-mining script
Coin-mining script: 2048
The source code for the 2048 extension contains a hardcoded domain that is triggered when Chrome is launched.
Figure 5. 2048 extension source code contains hardcoded domain that is called when Chrome launches
The form in http://www.madafak[DOT]in/landing sends a POST request with a hidden field to www.madafak[DOT]in after one second.
Figure 6. POST request with hidden field
The main page www.madafak[DOT]in attempts to pass itself off as Google Analytics but it secretly loads a coinminer library (ga.js) in the background.
Figure 7. Website claims to be related to Google Analytics but secretly loads coin-mining library
Fr ..
Support the originator by clicking the read the rest link below.
