Avast Provides Further Details of Malicious Browser Extensions

Avast Malicious Extensions Featured

Were you one of the unlucky 3 million users who downloaded malicious browser extensions that were discovered last year? Google and Microsoft shut them down, but the extensions still did some damage. Security firm Avast is providing further details of these browser extensions and what they were up to to update our earlier report.

CacheFlow’s Intensions

These malicious browser extensions were included in a campaign referred to as CacheFlow in late 2020 by Avast. Both Google and Microsoft removed the threats by December 18 after being notified of the dangers.

The CacheFlow extensions tried to hide the command and control traffic using a Cache-Control HTTP header of analytics requests. It’s believed to be a new technique disguised to look like Google Analytics traffic. Along with hiding the malicious directive, Avast believes the authors of the malicious extensions also wanted access to the analytics requests.

Avast Malicious Extensions Hacker

The majority of the downloads of the malicious extensions came from Brazil, Ukraine, and France. Avast first learned of the browser extensions through a Czech blog post following up on one of the extensions and realized it extended further to multiple extensions.

The security firm also realized, after reverse engineering the obfuscated javascript, that along with browser redirection, the hackers were also collecting users’ data, including all their search engine queries.

The hackers were quite crafty to avoid being outed. They were able to avoid infecting users likely to be web developers either through the extensions or by learning whether the user had accessed locally-hosted websites. Additionally, malicious activity was avoided for three days after the download to not alert anyone of the hackers’ true malicious intentions. The extensions would also deactivate if browser developer tools were opened or the user Googled one of the malware’s domains.

Exposing the Browser Extensions

CacheFlow, though, was active for years, since at least 2017. It was silently hiding all that time through its stealth efforts. If you’re interested in learning exactly how CacheFlow worked and how Avast busted it, check out the security firm’s blog post.

Avast Malicious Extensions Laptop

Avast provides this detailed look into CacheFlow because it’s the company’s belief that “understanding how these technologies work will help other malware researchers in discovering and analyzing similar trends in the future.”

It’s for similar reasons that I’m covering this news here. We don’t want anyone to fall victim to this, and the more everyone knows what hackers are capable of, the less they’ll get away with.

Cybercriminals are omnipresent, though. Staying on top of their activities requires constant attention. Take a look at how the work from home trend has led to an increase in cyberattacks and fake collaboration apps.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.

One comment

  1. “Both Google and Microsoft removed the threats by December 18 ”
    Don’t these companies vet what is placed in their App Stores?! I know that Google doesn’t. Over the past few years, they’ve had to remove thousands of sketchy apps. Sometimes I wonder if software companies allow sketchy apps, plugins and extensions into their App Stores because they get a cut of the ill-gotten proceeds. The attitude seems to be “If the users don’t catch it, we’ll just leave it in place.”

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.