Fake Chrome MinerBlock Extension Playing Videos in the Background

January 9, 2018 Arrunadayy Koul No comments exist

Do not have time to read full article and want this article in PDF format in your email.

Enter your Email Address
MinerBlock Fake extension Image

Fake MinerBlock Extension

minerBlock Extension Image

Legitimate MinerBlock Extension

Security researcher Bryan Campbell discovered a malicious Chrome extension today that is masquerading as the legitimate MinerBlock extension. The legitimate MinerBlock extension is used to block sites that utilize in-browser cryptocurrency mining, while the newly discovered version causes Chrome to repeatedly play videos in the background without your knowledge.

The Chrome Web Store pages for each extension looks different, with the fake one containing Russian text, but with developers being different. The developer for the legitimate MinerBlock is from CryptoMineDev, while the malicious one is listed as from egopastor2016.

As for the extensions themselves, other than the logo and the version number, both extensions look the same and have the same options interface.

Functionality is where things change. While the original MinerBlock is designed to block access to known mining sites, the malicious version is used to constantly play videos in the background.

It is not known for sure why the extension is constantly playing videos in the background, but it could be used for click fraud through the display of advertisements or to artificially increase view counts.

When started, the malicious extension will connect to the site egopastor.biz and retrieve a set of “tasks”. These tasks will determine what options the extension will use and the URLs it should connect to.

You can see an example of the extension connecting to this site and retrieving its configuration below.

Fiddler Showing Video Playback Image

Fiddler Showing Video Playback

The extension will then begin to connect to the specified URL, which at this time causes videos to be played from various Russian video sites. When a video is played, it will cause the CPU utilization to shoot as high as 100% and then drop back down to 0 when the video has finished playing. You can see an example of this CPU utilization while a video plays below.

CPU Utilization

For those who may have this version installed, you can easily remove the extension by right-clicking on its icon and selecting remove.

With it becoming more common for malicious extensions to masquerade as well-known legitimate ones, it is important for all users to be careful when installing extensions. Before installing anything, be sure to read the reviews carefully and make sure the extension you are installing is the correct one.

ICOs

Hashes & Pages:

Legitimate:

Chrome Store Page: https://chrome.google.com/webstore/detail/minerblock/emikbbbebcdfohonlaifafnoanocnebl

Fake:

Chrome Store Page: https://chrome.google.com/webstore/detail/minerblock-%D0%B1%D0%BB%D0%BE%D0%BA%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B0-%D0%BC%D0%B0%D0%B9/jdkbipcangaabpfffdcffcneenkilajh

Hash: 2c1f5e5a2e3267e4db3018bb3371204aaa38a4780f305be31b64997624f20a85

Network Connections in Fake extension:

egopaster.biz

If you liked this post, you might enjoy our newsletter. Receive new articles directly in your inbox:

Yes I agree to receive emails from Defenx Solution

Subscribe our Youtube Channel

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.