In-depth Analysis: Why was the Binance Account Stolen after Using the Malicious Plug-in?
In-depth Analysis: Why was the Binance Account Stolen after Using the Malicious Plug-in?
By:@SlowMist_Team
Source:https://web3caff.com/zh/archives/94779
https://foresightnews.pro/article/detail/61654
On March 1, 2024, according to Twitter user @doomxbt, there was an abnormal situation with his Binance account, and funds were suspected to have been stolen. Initially, this incident did not attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and found that the victim, @doomxbt, might have installed a malicious Aggr extension from the Chrome Store, which had many positive reviews! This extension can steal all cookies from the websites visited by the user, and two months ago, someone paid influencers to promote it.
On June 3, 2024, tragedy struck again. Twitter user @CryptoNakamao posted about losing 1 million USD due to downloading the malicious Chrome extension Aggr.
In this article, we will provide a detailed analysis of the malicious activities of the fake Aggr extension and explain its basic knowledge and potential risks through a six-question and six-answer format. We will also offer advice on how to deal with extension risks, hoping to help individual users and trading platforms enhance their ability to protect account and asset security.
Analysis
First, we need to locate this malicious extension. Although Google has already removed the malicious extension, we can still view some historical data through snapshots.
After downloading and analyzing the extension, we identified the main JavaScript files in the directory as background.js, content.js, jquery-3.6.0.min.js, and jquery-3.5.1.min.js.
During static analysis, we found that background.js and content.js did not contain much complex code or any obvious suspicious logic. However, we discovered a site link in background.js that sends data collected by the extension to https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
By analyzing the manifest.json file, we saw that background used /jquery/jquery-3.6.0.min.js, and content used /jquery/jquery-3.5.1.min.js. Thus, we focused our analysis on these two jquery files:
In jquery/jquery-3.6.0.min.js, we found suspicious malicious code that processed browser cookies via JSON and sent them to the site: https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
After static analysis, to more accurately analyze the behavior of the malicious extension, we installed and debugged the extension. (Note: This should be done in a brand new testing environment without any logged-in accounts, and the malicious site should be changed to a controlled one to avoid sending sensitive data to the attacker’s server.)
After installing the malicious extension in the testing environment, we opened any website, such as google.com, and observed network requests from the malicious extension’s background. We found that Google’s cookie data was sent to an external server:
We also saw the malicious extension sending cookie data on the Weblog service:
At this point, if the attacker obtains user authentication credentials and other information, they can use the browser extension to hijack cookies and perform contra trade attacks on various trading sites, stealing users’ crypto assets.
Next, we analyzed the malicious link https[:]//aggrtrade-extension[.]com/statistics_collection/index[.]php.
Involved domain: aggrtrade-extension[.]com
Parse the domain name information in the figure above:
The .ru domain suggests it is likely targeting Russian-speaking users, so it is probably a Russian or Eastern European hacker group.
Attack Timeline:
Analysis of the fake AGGR (aggr.trade) malicious site aggrtrade-extension[.]com revealed that the hackers began planning the attack three years ago:
Four months ago, the hackers deployed the attack:
According to the InMist Threat Intelligence Collaboration network, the hacker’s IP is located in Moscow, using a VPS provided by srvape.com, and the email address is aggrdev@gmail.com.
After successfully deploying, the hackers started promoting on Twitter, waiting for victims to take the bait. The rest of the story is known: some users installed the malicious extension and got robbed.
Below is the official warning from AggrTrade:
Q&A
What is a Chrome Extension?
A Chrome Extension is a plugin designed for the Google Chrome browser that can extend the functionality and behavior of the browser. They can customize the user’s browsing experience, add new features or content, or interact with websites. Chrome Extensions are typically built using HTML, CSS, JavaScript, and other web technologies.
The structure of a Chrome Extension usually includes the following parts:
● manifest.json: The configuration file of the extension, defining basic information such as name, version, and permissions.
● Background Scripts: Run in the background of the browser, handling events and long-term tasks.
● Content Scripts: Run in the context of web pages, directly interacting with the web pages.
● User Interface (UI): Includes browser toolbar buttons, pop-up windows, options pages, etc.
What are the functions of Chrome Extensions?
● Ad Blocking: Extensions can block and prevent ads on web pages, improving page load speed and user experience. Examples include AdBlock and uBlock Origin.
● Privacy and Security: Some extensions can enhance user privacy and security, such as preventing tracking, encrypting communications, managing passwords, etc. Examples include Privacy Badger and LastPass.
● Productivity Tools: Extensions can help users improve productivity, such as managing tasks, taking notes, tracking time, etc. Examples include Todoist and Evernote Web Clipper.
● Developer Tools: Provide debugging and development tools for web developers, such as viewing web page structure, debugging code, analyzing network requests, etc. Examples include React Developer Tools and Postman.
● Social Media and Communication: Extensions can integrate social media and communication tools, allowing users to handle social media notifications and messages while browsing. Examples include Grammarly and Facebook Messenger.
● Web Customization: Users can customize the appearance and behavior of web pages through extensions, such as changing themes, rearranging page elements, adding additional features, etc. Examples include Stylish and Tampermonkey.
● Automating Tasks: Extensions can help users automate repetitive tasks, such as auto-filling forms, bulk downloading files, etc. Examples include iMacros and DownThemAll.
● Language Translation: Some extensions can translate web page content in real-time, helping users understand web pages in different languages, such as Google Translate.
● Cryptocurrency Assistance: Extensions can help users in cryptocurrency trading, such as MetaMask.
The flexibility and diversity of Chrome Extensions allow them to be applied to almost any browsing scenario, helping users complete various tasks more efficiently.
What permissions do Chrome Extensions have after installation?
After installation, Chrome Extensions may request a series of permissions to perform specific functions. These permissions are declared in the extension’s manifest.json file and are prompted to the user for confirmation during installation. Common permissions include:
● <all_urls>: Allows the extension to access content on all websites. This is a broad permission, allowing the extension to read and modify data on all websites.
● tabs: Allows the extension to access browser tab information, including getting the currently open tabs, creating and closing tabs, etc.
● activeTab: Allows the extension to temporarily access the currently active tab, usually to perform specific actions when the user clicks the extension button.
● storage: Allows the extension to use Chrome’s storage API to store and retrieve data. This can be used to save extension settings, user data, etc.
● cookies: Allows the extension to access and modify browser cookies.
● webRequest and webRequestBlocking: Allow the extension to intercept and modify network requests. These permissions are often used for ad-blocking and privacy protection extensions.
● bookmarks: Allows the extension to access and modify browser bookmarks.
● history: Allows the extension to access and modify browser history.
● notifications: Allows the extension to display desktop notifications.
● contextMenus: Allows the extension to add custom menu items to the browser’s context menu (right-click menu).
● geolocation: Allows the extension to access the user’s geolocation information.
● clipboardRead and clipboardWrite: Allow the extension to read and write clipboard content.
● downloads: Allows the extension to manage downloads, including starting, pausing, and canceling downloads.
● management: Allows the extension to manage other extensions and applications in the browser.
● background: Allows the extension to run long-term tasks in the background.
● notifications: Allows the extension to display system notifications.
● webNavigation: Allows the extension to monitor and modify browser navigation behavior.
These permissions enable Chrome Extensions to perform many powerful and diverse functions, but also mean they can potentially access sensitive user data, such as cookies and authentication information.
Why can malicious Chrome Extensions steal user permissions?
Malicious Chrome Extensions can steal user permissions and authentication information because these extensions can directly access and manipulate the user’s browser environment and data. Specific reasons and methods include:
● Broad permission access: Malicious extensions often request a large number of permissions, such as accessing all websites (<all_urls>), reading and modifying browser tabs (tabs), accessing browser storage (storage), etc. These permissions allow malicious extensions to broadly access the user’s browsing activity and data.
● Manipulating network requests: Malicious extensions can use the webRequest and webRequestBlocking permissions to intercept and modify network requests, thereby stealing the user’s authentication information and sensitive data. For example, they can intercept form data when users log into websites to obtain usernames and passwords.
● Reading and writing page content: Through content scripts, malicious extensions can embed code into web pages, reading and modifying page content. This means they can steal any data entered by users on web pages, such as form information, search queries, etc.
● Accessing browser storage: Malicious extensions can use the storage permission to access and store local user data, including browser storage (such as LocalStorage and IndexedDB) that may contain sensitive information.
● Manipulating clipboard content: Through the clipboardRead and clipboardWrite permissions, malicious extensions can read and write the user’s clipboard content, thereby stealing or tampering with the information copied and pasted by the user.
● Masquerading as legitimate websites: Malicious extensions can modify browser content or redirect users to fake websites, tricking users into entering sensitive information.
● Long-term background running: Malicious extensions with background permissions can run in the background for extended periods, even if the user is not actively using them. This allows them to monitor user activity and collect large amounts of data over time.
● Manipulating downloads: Using the downloads permission, malicious extensions can download and execute malicious files, further compromising the user’s system security.
Why were the victims of this malicious extension able to have their permissions and funds stolen?
Because this malicious Aggr extension happened to gain the permissions mentioned above. Here is a fragment of the permissions content in the manifest.json file of this malicious plugin:
● cookies
● tabs
● <all_urls>
● storage
What actions can a malicious Chrome Extension take after stealing user cookies?
● Access accounts: Malicious extensions can use stolen cookies to simulate user login to trading platform accounts, thereby accessing user account information, including balances, transaction history, etc.
● Conduct transactions: Stolen cookies may allow malicious extensions to perform transactions without the user’s consent, buying or selling cryptocurrencies, and even transferring assets to other accounts.
● Withdraw funds: If the cookies contain session information and authentication tokens, malicious extensions may bypass two-factor authentication (2FA) and directly initiate fund withdrawals, transferring the user’s cryptocurrencies to the attacker’s wallet.
● Access sensitive information: Malicious extensions can access and collect sensitive information in the user’s trading platform account, such as identity verification documents, addresses, etc., which may be used for further identity theft or fraud activities.
● Modify account settings: Malicious extensions can change user account settings, such as linked email addresses, phone numbers, etc., further controlling the account and stealing more information.
● Impersonate users for social engineering attacks: Use user accounts for social engineering attacks, such as sending scam messages to the user’s contacts, inducing them to perform unsafe operations or provide more sensitive information.
Countermeasures
Seeing this, users might wonder, what can we do, disconnect from the internet? Use a separate computer for transactions? Avoid logging into platforms via the web? Many blanket statements have emerged online, but we can actually learn how to reasonably prevent such risks:
Countermeasures for Individual Users:
● Enhance personal security awareness: The first prevention suggestion is to enhance personal security awareness and always maintain a skeptical attitude.
● Only install extensions from trusted sources: Install extensions from the Chrome Web Store or other trusted sources, read user reviews and permission requests, and try not to grant extensions unnecessary access permissions.
● Use a secure browsing environment: Avoid installing extensions from unknown sources, regularly review and delete unnecessary extensions, install different browsers, and isolate plugin browsers from transaction browsers.
● Regularly check account activities: Regularly check account login activities and transaction records, and take action immediately if suspicious behavior is found.
● Remember to log out: Remember to log out after using web-based platforms. Many people leave themselves logged in for convenience after completing operations on a platform, but this habit poses a security risk.
● Use hardware wallets: For large assets, use hardware wallets for storage to improve security.
● Browser settings and security tools: Use secure browser settings and extensions (such as ad blockers and privacy protection tools) to reduce the risk of malicious extensions.
● Use security software: Install and use security software to detect and prevent malicious extensions and other malware activities.
Suggestions for platforms
Finally, here are some risk control suggestions for platforms. By implementing these measures, trading platforms can reduce the security risks that malicious Chrome Extensions pose to users:
● Enforce Two-Factor Authentication (2FA):
○ Enable 2FA globally: Require all users to enable two-factor authentication (2FA) when logging in and performing important operations (such as trading, placing orders, and withdrawing funds) to ensure that even if the user’s cookies are stolen, attackers cannot easily access the account.
○ Support multiple verification methods: Support various two-factor authentication methods, such as SMS, email, Google Authenticator, and hardware tokens.
● Session Management and Security:
○ Device management: Provide users with the ability to view and manage logged-in devices, allowing users to log out of unknown device sessions at any time.
○ Session timeout: Implement session timeout policies, automatically logging out sessions that have been inactive for an extended period, reducing the risk of session hijacking.
○ IP address and geolocation monitoring: Detect and alert users to login attempts from unusual IP addresses or geolocations, blocking these logins if necessary.
● Strengthen Account Security Settings:
○ Security notifications: Immediately notify users of important account actions such as logins, password changes, and fund withdrawals via email or SMS, alerting users to suspicious activity.
○ Account freeze function: Provide users with the option to quickly freeze their account in emergencies to limit damage.
● Enhance Monitoring and Risk Control Systems:
○ Anomaly detection: Use machine learning and big data analysis to monitor user behavior, identify abnormal trading patterns and account activities, and intervene in risk control promptly.
○ Risk control alerts: Issue alerts and restrictions for suspicious behaviors such as frequent account information changes and multiple failed login attempts.
● Provide Security Education and Tools for Users:
○ Security education: Use official social accounts, emails, platform notifications, and other channels to educate users about security risks associated with browser extensions and how to protect their accounts.
○ Security tools: Provide official browser plugins or extensions to help users enhance account security, detecting and alerting users to potential security threats.
Conclusion
Frankly speaking, from a technical perspective, implementing all the risk control measures mentioned above may not always be the best approach. Security and business need to be balanced. If security measures are too stringent, user experience may suffer. For example, requiring two-factor authentication (2FA) for placing orders may prompt users to disable it for convenience, inadvertently making it easier for hackers. Once cookies are stolen, if funds cannot be withdrawn, hackers might perform contra trade attacks, causing users to lose assets. Therefore, different platforms and users should adopt different risk control approaches. Finding the balance between security and business needs varies for each platform. Hopefully, platforms can protect user accounts and assets while considering user experience.
The SlowMist security team advises users to think for three seconds before installing software, trying new tokens, or adding plugins. Ask yourself if it’s right and safe, then proceed. This can help avoid turning stories into accidents. For more security knowledge, consider reading “Blockchain dark forest selfguard handbook” by SlowMist.
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish