If you are using browser extensions, Be-aware lnkr browser extensions are Rapidly spreading across the internet.
What is browser extensions ?
Browser extensions extend your web browser with additional features, modify web pages, and integrate your browser with the other services you use, for example Ad-blocker, VPN and HTTPS Everywhere.
Since users across the globe have accepted and have become dependent on the browser extensions, attacker have started leveraging this technology to attack browser extensions.
What is lnkr, what is its motive and how it works ?
Its categorized as a type of Adware [ JS/Adware Script Injector], its an adware but still it can do some serious damage depending upon where its redirecting you.
Their purpose is simple, redirect traffic to malicious or c2c domains, and get personal details about you or your finances.
Working methodology of Lnkr
- Attackers first clones the legit or semi legit browser extensions and inject them with their malicious code.
- Attackers distribute this cloned malicious version of extension on Google Chrome Store.
- Main goal of these malicious extensions it to inject malicious java script in the web pages browsed by the user.
- Once web pages becomes compromised with these Java script, they redirect the user browsing these compromised web pages to several c2c domains like : lnkr[dot]us and lnkr[dot]fr that seem to be part of this malware campaign, as they appear to be fully controlled by the attackers. or to several harmless ad-poppers and harmless advertisements sites.
Also make note that these malicious extensions have the potential to send sensitive data to command-and-control (C2) servers. These types of servers are often used by attackers to keep a channel open with the compromised systems.
Master-Mind behind Lnkr
Brocode, a shell company registered in Hong Kong, seems to be the company behind the code, although the attackers have left a few footprints that lead us to suspect Eastern European, likely Ukrainian or Russian, culprits may be involved, without any direct relationship to government confirmed.
Using our domain and IP intelligence platform SurfaceBrowser™, we were able to fetch the relevant WHOIS information—and it seems to belong to a guy named Sergei Filov, from Ukraine.Securitytrails.com
Technical explanation of Lnkr Adware
- When an user visits or browses a compromised web site – ryersonrams[dot]ca
Compromised web page URL:
- If we check the source code running behind this web page, we can see embedded malicious Java script in it. See that highlighted part in image below.
- In-order to see the flow of data, we captured the traffic and analyzed it, which shows that once user browse the compromised web page mentioned above, this embedded JS is downloaded on user’s system in background without user’s concern.
- once infected with malicious java script, post-infection traffic starts and redirected to unnecessary sites. Post-infection traffic consist of some significant keywords like sid, tid and rid, where value of rid signifies function name which can be seen in the malicious java script.
Analysis of embedded Java script
OSINT analysis of this malicious Java Script:
- Meta-defender Analysis: https://metadefender.opswat.com/results#!/file/bzE5MDcwN0h5eFl3WDB5WnJISldLRDdSMWJC/regular/information
- Virus-total Analysis: https://www.virustotal.com/gui/file/d992dfaae467cf4acfc29262e0449e4736a98d6ed9dd4f3f42faa700e3f16d43/detection
Sandbox Analysis of this Java Script:
- Hybrid-Analyzer Analysis:
- Cuckoo Analysis :
For more technically detailed explanation please click at given github link : Github-Lnkr
IOCs Observed in this campaign
List of IPs observed in this campaign:
List of domains observed in this campaign:
To find other IOCs observed so far in LNKr activity, click here : Lnkr – Indication of Compromise [ IOCs ]
Can we get rid of Lnkr ?
Blocking the attack isn’t easy either, as the attackers are using generic S3 bucket names, along with rotating C2 domain names and IP addresses spread across multiple hosting providers.
How to protect yourself from malicious extensions?
- Use less number of extensions, use only necessary ones.
- Remove all unused extensions as extension you no longer use becomes a potential future security risk
- Always keep updating you extensions.
- Before downloading any extension, try to find if it is legit, look for developer reputation and its reviews, the more new extensions, more dangerous it can be, not able find it legit, then wait till browser it self add such extensions in their coming releases.
- Before installing extensions make sure to see what permissions are granted to it and make sure it have access of browser only and no file sharing access is given.
I’ve installed a malicious browser extension. How can I remove it?
- Click on the three dots at the top right corner of your Chrome browser
- Then click on the ‘More Tools’ option
- Select the ‘Extensions’ option
- Locate the extension you want to remove
- Click the remove tab.
To get rid of malware or adware, please visit my previous post at:
Tell us how you liked this knowledge share. Please stay tuned with us for more cyber stuff !