SOC Alert Analysis: FakeGPT Malicious Chrome Extension

by Joseph Damonin Cybersecurity, Malicious Extension, SOC Analyston Posted on

Introduction

Hello and welcome to my latest blog post! In today’s article, I’ll be exploring a concerning development in the world of browser security: the FakeGPT Malicious Chrome Extension. This topic has emerged as a critical threat in cybersecurity, prompting a need for a detailed examination. We’ll be utilizing insights from LetsDefend, a premier platform known for its cutting-edge approach to cybersecurity training. LetsDefend (letsdefend.io) provides simulated environments and realistic scenarios that are crucial for cybersecurity professionals seeking to enhance their skills in detecting and mitigating a range of cyber threats. The platform’s focus on practical, real-world applications makes it an essential resource for those striving to keep pace with the rapidly changing cyber landscape. Join me as we dissect this recent alert regarding the FakeGPT Malicious Chrome Extension, analyzing its intricacies and learning how to effectively tackle such cybersecurity dilemmas.

In our analysis today, we’ll navigate through the murky waters of browser extension security, focusing on the identification, implications, and mitigation strategies related to this deceptive and harmful FakeGPT Chrome Extension.

The alert presented to us carries a high severity level, indicating that it should be treated with utmost urgency and seriousness.

The Case Analysis

We will now begin the detailed examination of this specific alert.

Define Threat Indicator

We’ll need to pinpoint the threat indicator from the malicious Chrome extension. To respond to the query, we will need to undertake some analysis.

Upon examining the network activities of the client in question, we observe multiple outbound connections initiated by various IP addresses, coinciding with the time the alert was triggered. The IP addresses are as follows:

  • 52[.]76[.]101[.]124
  • 18[.]140[.]6[.]45
  • 172[.]217[.]17[.]142


Consequently, I suspect that the threat indicator is unusual or unexpected outgoing internet traffic.

Check if the Malware is Quarantined/Cleaned

Based on the initial SIEM Alert, the endpoint permitted the installation of the Chrome Extension.

This implies that the potentially malicious Chrome Extension was not placed in quarantine.

Analyze Malware

The initial SIEM alert included the file hash of the extension, which we can utilize for further analysis. The hash provided is ‘7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669‘.

We can also access chrome-stats.com (https://chrome-stats.com/) to collect historical data on the extension, including the ability to download and analyze the CRX file directly. We have the capability to perform a search using the file name to access these records. Based on the alert, the file name is identified as ‘hacfaophiklaeolhnmckojjjjbnappen’, which leads us to the following page: https://chrome-stats.com/d/hacfaophiklaeolhnmckojjjjbnappen.

The website categorizes this extension as having a very high-risk likelihood and a moderate risk impact. It is also important to note that the logo and name of this extension is the exact same as a popular AI search assistant. Here is the link to that extension’s page: https://chrome-stats.com/d/jgjaeacdkonaoafenlfkkkmbaopkbilf

It’s observable that this extension has a significantly higher user base and positive reviews, and it is classified as having very low risk likelihood and impact. By accessing both files, we can conduct a comparative analysis to better understand the risk posed by the first extension. For examining .crx files, we can utilize ExtAnalysis (https://github.com/Tuhinshubhra/ExtAnalysis), an open-source framework designed for browser extension analysis.

Upon examining the permissions of both extensions, we find that the suspicious extension requires crucial cookies permission, in contrast to the safe extension, which does not.

This is from the suspicious extension.
This is from the safe extension.

This suggests that the suspicious extension could be involved in stealing browser cookies. The implications of this are significant for an attacker, as it opens opportunities for activities like session hijacking, circumventing security protocols, or distributing malware.

Given these factors, it leads me to the conclusion that this extension is likely malicious.

Check If Someone Requested the C2

Now, our next step is to review the logs to ascertain whether the command and control (C2) server was accessed from the end user’s machine.

To investigate whether the C2 server was accessed, various logs must be scrutinized.

The first notable log is a DNS query for the domain www[.]chatgptforgoogle[.]pro, which appears suspicious and warrants further examination.

When visiting that website, this is the content displayed:

Another log raising suspicion is a DNS query for the domain version[.]chatgpt4google[.]workers[.]dev.

The page is no longer available, but we can attempt to view information about it on VirusTotal (https://www.virustotal.com/gui/domain/version.chatgpt4google.workers.dev/)

Three vendors on VirusTotal have flagged this URL as malicious.

Additionally, this URL is identifiable among the domains associated with the extension.

This malicious indication can be traced within the background.js file of the extension.

Upon examining the background.js code, I’ve come across elements that, in my opinion, indicate malicious intent.

The code in background.js seems to initiate actions upon installation, as indicated by ‘r.reason === “install”‘. Following this, it appears to engage in data collection using ‘x0.default[qn].getAll({})‘, and subsequently transmits this data to a remote server, as suggested by the ‘fetch(“hxxps://version[.]chatgpt4google[.]workers[.]dev/”)‘ command.

Based on this analysis, it is evident that the command and control (C2) server was accessed.

Containment

Recognizing that a malicious Chrome extension was installed by the end user and successfully connected to the C2 server, it’s crucial to immediately contain this system. This step is essential to prevent further data exfiltration and to restrict the spread of the malware. Containment measures should be implemented as a priority.

Investigation Artifacts

172.16.17.173 – Infected System – IP Address

9cc6c26bd215549c39ba5b65e9eec9ea – Extension Hash- MD5 Hash

www[.]version[.]chatgpt4google[.]workers[.]dev/ – C2 Server – URL Address

18[.]140[.]6[.]45 – Suspicious IP – IP Address

www[.]chatgptgoogle[.]org – Suspicious URL – URL Address

Analyst Note

Case Overview:

  • Initiating in-depth analysis of an alert involving a suspicious Chrome extension.

Threat Identification:

  • Outbound connections to IPs: 52[.]76[.]101[.]124, 18[.]140[.]6[.]45, 172[.]217[.]17[.]142.
  • Key indicator: Unusual internet traffic.

Malware Analysis:

  • Extension not quarantined as per SIEM alert.
  • Malicious extension identified: ‘hacfaophiklaeolhnmckojjjjbnappen’.
  • High-risk rating on chrome-stats.com.
  • A copy of another popular AI extension.
  • Requires cookies permission, unlike the popular safe extension.

C2 Server Access:

  • Confirmed access to C2 server: ‘hxxps://version[.]chatgpt4google[.]workers[.]dev/’.
  • VirusTotal flags the domain as malicious.

Containment Action:

  • Immediate system isolation needed.
  • Block IPs and URLs associated with the threat.

Close Alert

Summary:
The investigation into the suspicious Chrome extension alert has been completed. Key findings include unauthorized C2 server communications and unusual outbound traffic linked to the extension ‘hacfaophiklaeolhnmckojjjjbnappen’.

Conclusion:
The threat posed by the malicious extension has been mitigated, and the alert is now considered resolved. Continued vigilance is advised to monitor for any related or new suspicious activities.

Closed By: Joseph Damon
Position: SOC Analyst Tier 1

Conclusion

Below are the results from our inquiry into the harmful Chrome extension.

As we wrap up this exploration into the FakeGPT Malicious Chrome Extension, a few key takeaways stand out. Our investigation, backed by insights from LetsDefend, has revealed the complex nature of browser extension security threats and their potential impact on users and systems.

The FakeGPT extension, mimicking a popular AI assistant, has been identified as a high-risk threat due to its unauthorized data collection and communication with a suspicious C2 server. This analysis underscores the importance of vigilance in cybersecurity practices, especially in the realm of browser extensions which often go unchecked.

Our proactive measures, including the isolation of the infected system and the blocking of associated IPs and URLs, have successfully mitigated the immediate threat. However, this incident serves as a reminder of the ever-evolving landscape of cyber threats and the continuous need for advanced training and tools to combat them.

In conclusion, this incident reaffirms the value of platforms like LetsDefend, which provide essential training and resources for cybersecurity professionals. As we continue to navigate the dynamic and challenging world of cybersecurity, staying informed, prepared, and proactive remains our best defense against such sophisticated threats.

Thank you for accompanying me on this thorough exploration. If you have any questions or comments, feel free to leave them, and I’ll be sure to get in touch with you!

Leave a Comment

Your email address will not be published. Required fields are marked *