Hackers Replace MEGA Chrome Extension with Trojanized Version

Users of the Mega.nz file hosting and sharing service were targeted through a supply chain attack in which hackers replaced the company’s official Chrome extension with a malicious version.

The attack happened Sept. 4 at 14:30 UTC (10:30 a.m. EST), when MEGA’s Chrome extension was updated to version 3.39.4 on the Google Chrome Web Store. The update was not pushed by MEGA itself, but by hackers, and the new version contained code designed to steal people’s login credentials on various websites, including amazon.com, live.com, github.com, google.com, myetherwallet.com, mymonero.com and idex.market.

DevOps Connect:DevSecOps @ RSAC 2022

Because Chrome automatically updates installed extensions, the malicious version likely propagated to many existing users. However, to steal credentials, hackers had to change the extension’s permissions, causing it to be automatically disabled in Chrome until users agreed to the changes.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4,” MEGA said in a blog post. “Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

The trojanized version was present in the Chrome Web Store for four hours until the attack was discovered and MEGA uploaded a clean version—3.39.5. Users who only access the service directly through https://mega.nz and don’t use the Chrome extension were not affected.

The company’s MEGAsync application, its browser extension for Mozilla Firefox and its mobile apps were also not affected because they are digitally signed.

“MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible,” the company said. “Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise.”

MEGA is still investigating how attackers gained access to its Chrome Web Store account, but this is only the latest in a long string of software supply chain attacks that affected software developers over the past few years.

Since it’s now more difficult to exploit vulnerabilities in browsers and browser plug-ins due to software hardening, hackers have shifted their focus to compromising legitimate download servers and software development infrastructure to deliver malware.

Malware Exploits Windows Zero-Day Flaw in Task Scheduler

Malware used by an APT group called PowerPool exploits a currently unpatched privilege escalation vulnerability in the Windows Task Scheduler that was disclosed last week.

The malware was found by security researchers from antivirus ESET and evidence shows that the hacker group started using the zero-day exploit only two days after it was made public. This highlights how little time companies have nowadays to deploy defenses after new vulnerabilities appear.

“This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine,” the ESET researchers said in a blog post.

ESET calls the group PowerPool because of its heavy use of malicious PowerShell scripts and open source tools for lateral movement.

The zero-day exploit released last week affects the Windows Task Scheduler and allows attackers to replace the contents of any files executed through a scheduled task. By targeting files executed with administrative privileges, attackers can gain full control over a system.

PowerPool’s first-stage malware uses the exploit to overwrite the contents of C:Program Files (x86)GoogleUpdateGoogleUpdate.exe, a legitimate updater for Google applications that’s regularly executed with administrative privileges through a scheduled task.

PowerPool typically uses spear-phishing emails with malicious attachments to infect victims’ computers with a first-stage backdoor that’s used for reconnaissance. This backdoor installs a second-stage malware program that has more functionality including the ability to execute shell commands, kill running processes and download or upload files.

While Microsoft hasn’t yet released a patch for this vulnerability, there is an unofficial micropatch developed by security firm ACROS Security. The CERT/CC advisory also includes some manual mitigation instructions.

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” the ESET researchers warned.

Lucian Constantin

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Hackers Replace MEGA Chrome Extension with Trojanized Version

Comments are closed.