Breaking into someone else’s Gmail box through a hidden Chrome extension
Email hacking is one of the most popular jobs in the underground hacking market on the dark web, as it is the cornerstone for doxing, identity theft, and interception of victim communications.
It is not surprising that attackers come up with new ways of attack to penetrate someone else’s mailbox. Last year, another new and rather extraordinary attack vector appeared – via Chrome extensionwhich does not steal passwords, as usual, but performs direct inspection and exfiltration of traffic from the mailbox through the “Developer Tools” in the browser. Thus, there are no traces of extraneous penetration in the Gmail logs, only the session of a legitimate client.
For the most complete description of the extension, codenamed SHARPEXT, see report Volexity company. Below are the key steps.
1. Installing a Chrome extension and changing browser settings
The extension is installed in the victim’s browser by running a VBScript script on their computer. Full script code:
Obviously, to run the script, you need physical access to the computer (at least for a few seconds) or a working exploit for remote code execution.
The script downloads the extension files, browser configuration files and additional scripts via the console, and then launches the installation script for execution pow.ps1.
Script pow.ps1 stops the current browser process and replaces Preference and Secure Preference files in Google Chrome. These configuration files contain the current state of the profile and protect Google Chrome from subtle modifications from outside by issuing the appropriate warning:
Learn more about installing malicious extensions in Chrome. this scientific workas well as post in Russian.
Using the method described here, the script generates new Preference and Secure Preference files, which will be accepted by the browser as native after a restart, without displaying a warning. In the new settings, a new extension from the folder is also indicated %APPDATA%\Roaming\AFwhich has permission to use DevTools:
The browser is then restarted.
2. Enable DevTools
Second script
dev.ps1
activates DevTools from a browser tab that the user opens in the Gmail web interface. To do this, the script sends a sequence of keystrokes to the corresponding tab
Control+Shift+J
and hides the open DevTools panel with a flag
SW_HIDE
in
.
Additionally, the script suppresses any pop-up Windows warnings that might attract the victim’s attention. For this, new windows are constantly checked and hidden through the same ShowWindow().
3. Inspection of mail
After opening the developer tools, the module is launched
dev.js
which inspects requests and sends the ones suitable for parsing and exfiltration against such a filter:
4. Downloading the main code from a remote server
The extension then downloads the main working code from a remote server that processes the email. Thus, the attacker has the ability to dynamically change the working code, and there is no malicious payload in the code of the extension itself, which helps to avoid detection and hide the targets of the attack.
This part of the code can request arbitrary letters, attachments through the mail web interface and send them to a remote server.
5. Copy mail
You can copy the entire mail archive or content that meets the given conditions. As already mentioned, this method of penetrating the mailbox leaves no traces in the mail server logs on the “Activity in your account” page.
The first cases of mailbox hacking through the Chrome extension became known in September 2021. Since then, the malicious extension has been refined. The current version 3.0 supports the exfiltration of two mail services (Gmail and AOL) through three browsers (Edge and the South Korean Whale have been added).
In principle, to detect any attacks through PowerShell, you can enable PowerShell logging. To test this particular attack, published YARA rules and IOC indicators.
In general, in order to protect against the leakage of confidential information, it is better to store it in encrypted form.
