The Mystery of the google ads

Out of the blue I started seeing ads in my google search. They were especially prominent due to the fact they were white, and I use a back background. It was caused by a trojan running in my chrome extension, which I suspect was installed by a name-jacked NPM plugin.

• Impact and blast radius
  • Did happen when …
  • Did not happen when …
• Detection
  • Debugging
• Mitigation
• Root Causing and hypothesis

Impact and blast radius

Out of the blue I started seeing ads in my google search. They were especially prominent due to the fact they were white, and I use a back background

Did happen when …

• In private mode
• Disabling plugins
• Close and reboot chrome

Did not happen when …

• Using edge
• Using another user profile in chrome

Detection

Debugging

• I inspected the page, and saw the ads were in an iframe, being loaded from bing.com
• The iframe was from findsingl.com, but I could find no results for that.
• I went to the network tab, and observed network requests
• I enabled ‘path’,’host’ and ‘initiator’, to see where someone was doing an odd call
• I saw a network request from a chrome extension (recall disabled), to reppoflag.net
• Searching the web, I found reppoflag was a trojan, associated with ad blockers
• The ‘initiator’ field allowed me to click and see which code was making the request
• I saw a “GUID”, which I’m not sure how I determined was the extension

Mitigation

• I uninstalled all plugins (though will likely re-install some of them)
• Everything was good.
• Now, I wonder if other things are compromised.

Root Causing and hypothesis

I’m not sure this happened, but my guess:

• I had a common chrome extension installed (uBlock)
• I installed and ran a brand jacked NPM package (e.g npx run browser-pack, instead of npx run web-browser-pack).
• The package modified the extension on disk (I didn’t verify, just guessing :( )
• When my web page ran, the malicious extension ran, and loaded ads.

More details from Malware can edit the chrome binary, or extensions, with a loader:

We call this family of browser modifiers Adrozek. If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines. The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.

The malware makes changes to certain browser extensions. On Google Chrome, the malware typically modifies “Chrome Media Router”, one of the browser’s default extensions, but we have seen it use different extensions.

The malware also tampers with certain browser DLLs. For instance, on Microsoft Edge, it modifies MsEdge.dll to turn off security controls that are crucial for detecting any changes in the Secure Preferences file.

While web searches mentioned ad blockers were compromised, there was no evidence that uBlock was.

I wondered if something edited the uBlock extension on disk. Turns out NPM packages are “brand jacked” by making NPM extension with a similar name.

These mimicked the legitimate NodeJS-based database libraries, including jdb and db-json, but downloaded the malicious njRAT aka Bladabindi onto the user’s system.

Here’s a deep dive into how sophisticated the attack can be.