While monitoring the latest Threat Intelligence and InfoSec news articles I came across an excellent article posted on April 17th, 2018 by the company “AdGuard” linked here. I determined a method of detection based on utilizing this campaigns unique usage of hashes in a .txt for domain comparisons. Specifically there was many hashes that are reused within 28 different plugins I had originally manually identified through the Chrome Extension Website crx.dam.io. In order for my method of detection to work I had to download 550GB worth of data off the website in order to parse it automatically using a program to search zip files for the existence of one of the sample hashes from the .txt file.
It took quite awhile to find the best method of downloading this much data and this many links in a single instance. However, after multiple tries with different programs I determined the best method was wget2. This allowed me to download from the website in multiple threads. This sped up the download process from the website itself. What caused the other methods to fail was anything from not enough system memory, to crashes to seg faults within the programs.
However, once I did manage to get the data downloaded after multiple programs were tried to parse this much data(similar issues to above) I finally was able to search the data. A program named “FileSeek” was determined to be the best program based on my tests. It took a few days due to me having to store it on spin disk on a DAS but when it was complete I was surprised with the number of unique plugins that had been utilized in this campaign.
To view the raw data regarding this please visit the following google doc’s page which shows all of the details regarding each individual plugin:
Being the skeptic I am I didn’t believe at first that there could have possibly been 50 malicious plugins or 133 malicious versions in this campaign. As such I started digging through the results and eventually verified that each and every result had not only the malicious code but the .txt file with the list of lookup hashes in the plugin itself.
It is worth noting that OSINT on the domain itself pulled up some interesting results. While nothing conclusively links the domain registrant with any advance threat actor one of the domains the threat actor for these plugins registered did appear in the following ThreatConnect Report titled “What’s in a Name… Server?” as a “Additional Shady Domain”. I would rate the link to that threat intelligence report low to medium-low at best. It is interesting however that this report is specifically regarding the DNC breach and the OSINT available regarding APT 28/APT 29 and their TTPs during the breach itself.
List of 19,000 Decrypted Domains from MD5 List in .txt file being used for lookups to determine what domains to spy on: