Malicious Chrome Extensions, Domains Used to Steal User Data

Google Chrome extensions and Communigal Communication Ltd. (Galcomm) domains were used in a campaign that aims to track user activity and data, as unveiled by Awake Security.  In the past three months, the researchers found 111 malicious or fake Chrome extensions using Galcomm domains as their command and control (C&C) infrastructure. There have been at least 32 million downloads of these malicious extensions at the time of writing.

The campaign used almost 15,160 domains registered on Galcomm to host malware and browser-based surveillance tools, a number that represents almost 60% of the number of reachable domains (26,079) registered on the same domain registrar. In an email exchange with news agency Reuters, Galcomm owner Moshe Fogel insisted that “Galcomm is not involved, and not in complicity with any malicious activity whatsoever.”

“You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can,” Fogel wrote.

The attacks successfully avoided detection by sandboxes, endpoint security solutions, domain reputation engines, and the like. Among the affected industries are finance, oil and gas, media, healthcare, retail, technology, education, and government.

Link to our past research

As we illustrated in our research published last April on modular adware DealPly, IsErik, and ManageX, these Chrome extensions are part of the ecosystem of this campaign. We also found malicious extensions targeting Firefox users. We mentioned that some of these can load code from remote servers, and we also cited Galcomm domains as possibly linked to the attack. Moreover, we supplied a root cause analysis (RCA) for this.

Awake Security also published an extensive list of app IDs used in the same campaign. Besides a couple of App IDs that we encountered in our analysis, below are two other app IDs we uncovered previously:

  • bgbeocleofdgkldamjapfgcglnmhmjgb
  • ncjbeingokdeimlmolagjaddccfdlkbd

The malicious extensions in question can capture screenshots, read the clipboard, harvest user keystrokes, and take credential tokens without the user’s consent. Similar behavior has been observed and analyzed in a report we published on a malware variant (detected by Trend Micro as Trojan.JS.MANAGEX.A) that is also associated with this campaign. There, we found that the malware sets permission to allow access on  Chrome APIs that include the following:

  • browsingData
  • cookies
  • desktopCapture
  • geolocation
  • history
  • management

(For the full list, please see our report)

Earlier detected malware variants ADW_DEALPLY and Adware.JS.DEALPLY.SMMR have been associated with this attack as well.

Securing systems from threats brought about by malicious domains and extensions

Malicious extensions continue to evolve into more menacing threats; over time, they develop stealthier techniques such as bypassing traditional security mechanisms and loading code from remote servers. Besides focusing on detection, organizations should constantly monitor for the tactics, techniques, and procedures employed by these threats in the long term to have a better understanding of their behavior and gain insights on how to defend entry points against them.

Trend Micro XDR protects the system through gathering and correlating activity data from email, endpoint, server, cloud workloads, and the network. It uses AI and expert security analytics which not only enable early detection but also offer deeper insight into the source and behavior of these attacks.

Trend Micro™ Managed XDR service provides expert monitoring and analysis by our seasoned Managed Detection and Response analysts. Our experts can create a complete picture of the attack and how it spread across the enterprise, thus giving a clear view of the cause and impact of a threat.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.