Behind an entire catalogue of malicious Chrome extensions? Allegedly, a domain registrar

It is not unusual for malware to use malicious C&C servers and domains. However, what we learn this week is something entirely different, sinister and going at a much larger scale.

In a report published by the Awake Security Threat Research Team this week, we learn of an internet domain registrar which has enabled domain registrations, of which almost 60% are for malicious domains! 

The Israeli company, CommuniGal Communication Ltd. aka GalComm continues to run its operations today.  

“Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools.”

Awake Security has stated that some evasion techniques were at play that let the malicious domains slip past most security controls and detection tools.

“Through a variety of evasion techniques, these domains have avoided being labeled as malicious by most security solutions and have thus allowed this campaign to go unnoticed.”

The malicious domains that are used by at least 111 Chrome extensions identified by Awake Security were all hosted by the same registrar. These harmful extensions had the capability to screenshot a victim’s machine, access clipboard, copy credentials (tokens, cookies, passwords), act as a keylogger and transmit this data to the attackers.

“In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc”

A domain setup to entice a user into downloading a malicious Chrome extension
(Source: Awake Security)

Unfortunately, these malicious extensions did manage to get to the computers of millions of users! Conservative estimates put the number of times the malicious extensions were downloaded at over 32 million. This data is only applicable to those extensions that were live as of May 2020. We don’t know if anything else already removed by Google was also part of this campaign.

“To date, there have been at least 32,962,951 downloads of these malicious extensions—and this only accounts for the extensions that were live in the Chrome Web Store as of May 2020. For context, very few extensions have been downloaded more than 10 million times.

The report provides a complete list of Chrome extension IDs as well as information about extensions that were available as of May 2020.

Luckily, Awake Security coordinated with Google to have these yanked from the Chrome Web Store.

It is worth noting that the actors behind this campaign are known to have penetrated networks of leading financial services, oil and gas companies as well as healthcare and pharmaceutical businesses.

“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network,” stated the report.

Because of the scale of attacks like these, Awake has compared loosely-governed domain registrars like GalComm to arms dealers in the cyber realm.

“While these organizations are loosely governed by ICANN, there is very little active oversight. We believe registrars like GalComm can effectively function like cyber arms-dealers, providing a platform through which criminals and nation-states can deliver malicious sites, tools and extensions without consequences or oversight.”

ICANN has previously sent a notice of breach to the company in 2013 for their failure to meet multiple requirements set out by ICANN. 

Because campaigns like these are hard to detect via leading cybersecurity and perimeter defense products, Awake suggests companies adopt a more proactive approach to identifying anomalies like these, such as to “hunt on an ongoing basis for the tactics, techniques and procedures to compensate for the technological shortcomings.”

Awake Security’s detailed findings are available in the report published on their blog. 

However, Cyberscoop reports, Moshe Fogel, owner of Galcomm has said that Awake Security findings were based on faulty data, and that about a fourth of the domains Awake Security lists are either not registered via Galcomm or have expired.

“We are considering our steps and actions against Awake,” Fogel added. Asked if this meant legal action, Fogel said, “We are still investigating this case,” reports Cyberscoop.