CRX Collection Workflow: A Practical Guide

-



2024 was quite the year for me. I left a company where I had been in my dream role, moved across the country (again) for a new position, and even got engaged. It has been nearly a year since I last wrote anything on my blog, so I figured there was no better time than this chilly Saturday afternoon to share something I have been working on over the past few days.

I was honestly struggling to choose a topic, especially after so many exciting projects in the last year. In the spirit of keeping my posts short and digestible, I decided to focus on a workflow I created (and had help with!) for threat-hunting malicious extensions, along with some of the challenges I have faced.

Hunting for a CRX Resource

In late December, security teams around the globe scrambled when security vendor Cyberhaven discovered one of its extensions had been compromised, primarily targeting Facebook ad accounts. As of this writing, 36 malicious extensions have been identified on extensiontotal.com.

As an intelligence analyst, I’m always seeking more data. My first question when researching this was, “How can I collect more malicious extensions?” You’d think there would be a central list or a website with an API offering this information, but you'd also be mostly mistaken. 

There are sites like CRXcavator, that have been down for a while, displaying a message that reads, “We apologize for the extended outage of CRXcavator. We are working on getting it restored,” and I’ve encountered login errors multiple times. CRXaminer can help determine whether an extension is malicious, and ExtensionTotal also has some of these same capabilities, but none gave a clear option to pull down their known malicious extensions. 


Outside of the security vendors, I also checked open-source projects which I only mostly found GitHub repositories that hadn’t been updated in years. One seemed as if the creator was manually adding new CRX extensions whenever an article was published, which is useful for gathering IOCs but isn’t robust enough for a larger, more automated process.


CRX Collection Workflow 

Inspired by the GitHub repo I found, I decided to replicate their approach but automate it as much as possible. To do this, I created a custom AI feed in Feedly that tracks anything related to malicious extensions or tagged with Browser Extensions; T1176. This feed captures extension-related posts from the internet and sends them to my IOC news feed. As new blogs and research are found, I then use Feedly’s AI engine to automatically pull out the CRX IOCs.


Next, I turned to my favorite resource, VirusTotal (VT). I knew CRX files could be found there, but I wasn't sure if the entire CRX file was being uploaded. That includes the manifest.json, any JavaScript, and related network telemetry, such as domains the extension calls. It turns out everything is included, which opens the door for deeper analysis.

Using a query like entity:file filename:*.crx fs:14d+ and p:1+ - which searches for CRX files first uploaded to VT in the past fourteen days and flagged as malicious by at least one vendor, helps identify potentially malicious files. 

The next challenge was determining how to vet these files before sharing them internally. For that, I used CRXaminer (please release an API) and enriched this information with additional artifacts, including the manifest.json, any JavaScript it calls, and known malicious domains from VirusTotal. 

This process turned up 14 newly discovered malicious extensions.

If you've ever worked with me, I've probably brought up JA3 or JA4 once or twice. While analyzing samples many of the CRX file types and related malicious JS will have a JA3 hash you can use to pivot off. Running this alone will often result in high volumes of FPs, but if you tweak these queries you can use it as a pivot point to identify additional CRX samples. 


Now that I have multiple multiple queries, with decently high fidelity, and will be creating more as additional files are analyzed, such as with JA3s. This entire process can be automated with the VT API, using these queries, to pull identified CRX files on a regular cadence, their manifest.json, any JavaScript, and relevant behavioral patterns. 


Expanding the workflow

At this point, I started chatting with a teammate about some of the challenges I was facing:

    1) Fully automating the vetting process (using a tool like CRXaminer would streamline this even more)

    2) Figuring out how to monitor newly registered extensions

Thanks to my teammate’s expertise, by the end of the day they had a program that identifies CRX extensions and assigns risk based on their contents. Within two working days, we were close to having a fully automated workflow to collect and vet CRX extensions. I may come back and add more details surrounding this another time. 

The final step, like any collection workflow, is to distribute the IOCs for retroactive searching, detection, and response. Not only does this help us stay updated on newly identified CRX files, but it also lets us block malicious CRX files before they are downloaded or installed. All thanks to the intel we have collected, vetted, and operationalized. 

Final Thoughts

Workflows like these, are becoming an important part of my role as an intel analyst and threat hunter. As my career has progressed, I have started to redefine what it means to stay current with the threat landscape. Lately, that means adapting methods from one area to another and drawing parallels across seemingly unrelated topics.

Thanks for reading and as always Happy Hunting! 


Identified Malicious Extensions

blojlgglhfcmpigjbkllcgjmhincdjhb
bojaonpikbbgeijomodbogeiebkckkoi
eppiocemhmnlbhjplcgkofciiegomcon
acmfnomgphggonodopogfbmkneepfgnh
aojcgkfcpipialpajbphlnfjelpcpfic
dljdacfojgikogldjffnkdcielnklkce
gcpaokdjnddgeodalchpomeomglomoan
hodiladlefdpcbemnbbcpclbmknkiaem
lgjdgmdbfhobkdbcjnpnlmhnplnidkkp
mmacphhaiefdkchcpamplnpgbolonlde
nodcmkfbncnhlbbohoalamehlohaidjo
pfaahjapdldabbobilkilmppakcdjagh
lpbkofhnclhhlaibcklkgaonbbmhjeco
lccpadlcbfphjdlckfnlahjhikmgglak

Resources

https://crxcavator.io/
https://crxaminer.tech/
https://robwu.nl/crxviewer/
https://www.extensiontotal.com/cyberhaven-incident-live
https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension









Comments

Post a Comment

Popular posts from this blog

Certifried Red Team Operator

-
Image
I wasn't actually planning on writing up a blog about passing the CRTO, but here I am about two months since passing and felt like writing down some after-thoughts. Now that all the information has had time to simmer, there have been some key takeaways I've noticed in my day to day working in threat research. If you're not familiar with the CRTO, a TLDR is this focuses on using the C2 framework CobaltStrike from a red team perspective created by RastaMouse at Zero Point Security .    If you've ever worked in a SOC before, you've maybe heard the long standing joke 'it's an admin, false positive'. It used to make me laugh, until I moved in threat hunting and intelligence. Now hearing this just gives me anxiety. Elevating privileges typically isn't that difficult to accomplish but, detecting and preventing it before it has a negative impact is challenging. This is even more difficult when going against a skilled attacker that understands elevating privi...
Read more

VirusTotal Enterprise - Starting Workflow

-
Image
In 2023, I set out to write a personal blog every four months but didn't quite meet that goal. Reflecting on the year, it's amusing to think I attributed this to writer's block. My role in threat intelligence and working with an advanced pursuit team involves crafting internal reports and advisories. Realizing this could have been a goldmine for blog content, I'm reminded of one of my favorite quotes, "I'm going to make this way harder than it needs to be." So, let's dive in. I frequently utilize what I term 'open source databases' – resources like Shodan, Censys, VirusTotal, and AbuseIPDB. These databases provide intelligence on various artifacts, with limitations typically based on the account type (free, verified, or paid). Today, I want to focus on how I leverage VirusTotal Enterprise in my daily workflow. Before we delve deeper, a quick tip: check the VT Enterprise Group tab under your profile to monitor your monthly usage. These resources...
Read more

Tracking Malicious Files with Favicons

-
Image
In today's post, we're diving into the world of favicons and their role in malware detection with VirusTotal Enterprise. If you read my last blog, you’ll remember we explored using VirusTotal Diff to track down new iterations of DarkGate malware. Though it might seem like I live and breathe VirusTotal, I assure you there are other tools I use. However, I do find these ad-hoc workflows interesting, and although I rarely document them, I'm making another post. Imagine you’re part of a product company that distributes a high volume of binaries, software, and various other items across a vast amount of websites. Often, third-party partners host legitimate versions of these products on their sites and SEO boosts. Unfortunately, this widespread distribution gives attackers a chance to mimic your products by using similar file names and even your company's favicon to deceive users. This is by no means a novel or new technique, in fact, it's quite trivial in my opinion, w...
Read more