{"id":19466,"date":"2022-06-29T03:10:22","date_gmt":"2022-06-29T11:10:22","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/29\/news-13199\/"},"modified":"2022-06-29T03:10:22","modified_gmt":"2022-06-29T11:10:22","slug":"news-13199","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/06\/29\/news-13199\/","title":{"rendered":"Forced Chrome extensions get removed, keep reappearing"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 29 Jun 2022 10:38:18 +0000<\/strong><\/p>\n

In the continued saga of annoying search extensions we have a new end-of-level boss.<\/p>\n

Victims have been reporting browser extensions that were removed by Malwarebytes, but \u201cmagically\u201d came back later. Since the victims also complained about the message saying their browser was “managed”, we had a pretty good idea where to look.<\/p>\n

\n
\"custom
custom search bar<\/em> is one of the forced extensions<\/em><\/figcaption><\/figure>\n<\/div>\n

Search extensions<\/h2>\n

The culprits turned out to be search extensions. Which is often<\/a> the case when we spot potentially unwanted programs (PUPs) that use malware tactics to get installed and gain persistence.<\/p>\n

The search hijackers \u201cactive search bar<\/a>\u201d and \u201ccustom search bar<\/a>\u201d were both available in the Chrome web store at the time of writing even though we reported them days ago.<\/p>\n

\n
\"active
active search bar is also available in the webstore<\/em><\/figcaption><\/figure>\n<\/div>\n

PowerShell<\/h2>\n

It took some digging to find the origin, since all we had were the extensions. And when the extensions were installed directly from the webstore, nothing happened out of the ordinary. However, some hunting on VirusTotal soon led me to a few recently uploaded PowerShell<\/a> scripts that included the string \u201cExtensionInstallForcelist.\u201d I looked for that string because we know from the past<\/a> that these registry policies account for the \u201cYour browser is managed\u201d warnings.<\/p>\n

$CPath = \"HKLM:SOFTWA<\/code>REPoliciesGoogleChromeExtensionInstallForcelist\";<\/code><\/p>\n

$EPath = \"HKLM:SOFTWAREPoliciesMicrosoftEdgeExtensionInstallForcelist\";<\/code><\/p>\n

The description in the Chromium documentation about the ExtensionInstallForcelist states:<\/p>\n

\n

\u201cSpecifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.\u201d<\/p>\n<\/blockquote>\n

And to confirm this finding, the victims that provided logs all had one of these PowerShell script listed in their Scheduled Tasks<\/a>.<\/p>\n

\n
\"Scheduled
The Scheduled Task triggers the PowerShell script<\/em><\/figcaption><\/figure>\n<\/div>\n

The Scheduled Task was set to run every four hours, which explained why the extensions kept coming back.<\/p>\n

Installer<\/h2>\n

But Scheduled Tasks don\u2019t install themselves either and dropping PowerShell scripts in the System32 folder requires Administrator privileges, so we needed to dig a little further to find an installer.<\/p>\n

The domain wincloudservice.com was used as a download location in all the PowerShell scripts so we used that domain as a search parameter in our next stage of VirusTotal hunting. This search eventually returned three installers. What they had in common at first glance was that the filenames all ended with “_x64LTS.exe” and that they were all signed by \u201cTommy Tech LTD.”<\/p>\n

Upon further inspection we noticed that the installers all asked for Administrator privileges twice. The first part installs something that is called \u201cSetup\u201d and the second part installs an application that aligns with the name of the installer. So, it appears that the original installer files were \u201cpatched\u201d to add the installer for our browser hijacker. It stands to reason that these installers are offered for download somewhere by the threat actors.<\/p>\n

The EULA points to tommytechil.com which is unreachable. I was unable to find an installer that actually dropped an extension in Edge, but the \u201cYour browser is managed by your organization\u201d setting does get enforced.<\/p>\n

\n
\"Edge
Edge managed by your organization<\/em><\/figcaption><\/figure>\n<\/div>\n

Javascripts<\/h2>\n

Malwarebytes customers were protected against these extensions as Malwarebytes\u2019 web protection module blocked the domain wincloudservice[.]com<\/a>. On inspection, this domain hosted several javascripts including heavily obfuscated files called crypto.js and crypto-js.min.js. <\/p>\n

Detection and removal<\/h2>\n

Malwarebytes detects these browser hijackers as PUP.Optional.ActiveSearchBar and PUP.Optional.CustomSearchBar. Included in the removal procedure are the extension, and the Scheduled Task, which is enough to permanently get rid of the extension.<\/p>\n

Some Windows registry changes have been made that will take a system administrator to decide what they want to keep or not.<\/p>\n

The registry keys to remove the \u201cYour browser is managed\u201d are:<\/p>\n

HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeExtensionInstallForceList<\/code><\/p>\n

HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftEdgeExtensionInstallForceList<\/code><\/p>\n

And another change made by the installer was the registry value:<\/p>\n

HKEY_LOCAL_MACHINESOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell<\/code>\\ExecutionPolicy<\/code><\/p>\n

The installer set that to \u201cUnrestricted\u201d<\/code> which may not be your favorite setting. If you are not sure or you have never actively set that policy, the default is \u201cRestricted\u201d<\/code>. Please note that in some organizations PowerShell is required<\/a> to run.<\/p>\n

IOCs<\/h2>\n

Domains:<\/strong><\/p>\n

activesearchbar[.]me<\/a><\/p>\n

customsearchbar[.]me<\/a><\/p>\n

optimizerupdate[.]com<\/a><\/p>\n

securedatacorner[.]com<\/a><\/p>\n

wincloudservice[.]com<\/a><\/p>\n

Installers:<\/strong><\/p>\n

4kvideodownloader_5.22.371_x64LTS.exe<\/p>\n

AutoClicker_x64LTS.exe<\/p>\n

FPSUnlocker_4.1_x64LTS.exe<\/p>\n

PowerShell scripts:<\/strong><\/p>\n

PrintWorkflowService.ps1<\/p>\n

WindowsUpdater1.ps1<\/p>\n

OptimizerWindows.ps1<\/p>\n

Extensions:<\/strong><\/p>\n

custom search bar nniikbbaboifhfjjkjekiamnfpkdieng<\/p>\n

active search bar pkofdnfadkamabkgjdjcddeopopbdjhg<\/p>\n

The post Forced Chrome extensions get removed, keep reappearing<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Pieter Arntz| Date: Wed, 29 Jun 2022 10:38:18 +0000<\/strong><\/p>\n

Malwarebytes found a family of forced Chrome extensions that can’t be removed because of a policy change that tells users “Your browser is managed”.<\/p>\n

The post Forced Chrome extensions get removed, keep reappearing<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[26765,26766,26767,11191,26768,26769,10494,26770,26771],"class_list":["post-19466","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-active-serach-bar","tag-custome-search-bar","tag-extensioninstallforcelist","tag-powershell","tag-scheduled-task","tag-search-extensions","tag-threat-analysis","tag-tommy-tech","tag-your-browser-is-managed"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19466"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19466\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}