Avast researchers have found a large number of malicious Chrome and EGDE browser extensions to hijack the link to any URL in the search results page, including phishing websites and advertisements.

Avast researchers have found an attack activity that uses browser to extend hijacking search results –cacheflow. Among them, 28 malicious Chrome and EGDE browser extends using cache-control http header as a hidden channel to extract commands from an attacker control, and the browser extensions involved include Video Downloader For Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK UNBLOCK.

Avast analysis found that 3 countries that were downloaded and installed Cacheflow extended users were Brazil, Ukraine and France, then Argentina, Spain, Russia and the United States.

The cacheflow attack stream is as follows:

Cacheflow Attack starts from the user to download malicious extensions in your browser. After the malicious expansion is installed, it will send an analysis request similar to Google Analytics, and then return a careful forged cache-control header containing hidden commands, where the hidden command is to extract the second phase of PayLoad, the second phase payload is the ultimate JS PayLoad downloader.

JS malware will collect birth dates, email addresses, location, equipment activities, etc. In order to obtain birthday information, cacheflow will analyze a XHR request to https://myaccount.google.com/birthday, and analyze the date of birth from the response message.

Finally, PayLoad will inject the other end JS code to each Tab, use it to hijack the search results of the legitimate website, modify the search results of Google, Bing, Yahoo, etc., and turn the victim to different URLs.

Malicious extensions have a very interesting place to avoid users who are infected with Web developers. Malicious extension calculates the user-installed extension rights or checks if there is a local construction website, such as .dev, .local,,. Localhost, and any suspicious malicious behavior after the first 3 days after extension installation.

From the user review from the Chrome Web Store, Cacheflow began to active from October 2017. In general, users will trust the extension of the official browser store installation, think it is safe, but in recent years, the application and extension from official stores are not necessarily safe.

The Cacheflow attack uses the Cache-Control HTTP header in the analysis request as a hidden channel to hide its commands and control traffic, and researchers believe this is a new technology.

Cacheflow hides C2 command process

All cacheflow attack activities related malicious browser extensions were taken from Google, Microsoft, on December 18, 2020, to prevent users to continue downloading, users who have downloaded can remove relevant extensions to prevent malicious attacks.

Complete technical analysis See: https: //decoded.avast.io/janvojtesek/backdooored-browser-extensions-hid-malicious-traft-in-analytics-Requests/in-analytics-Requests/

This article is translated from: https: //thehahacnews.com/2021/02/Over-dozen-chrome-extensions-caught.html