Here is a comparison of visiting with and without the fake Evernote extension.
#EVERNOTE CHROME EXTENSION SERIES#
When visiting webpages, you'll get a series of annoying advertisements, all leading to potentially more unwanted programs and offers. The content script is guaranteed to be loaded into every web page using the extension manifest (manifest.json). The extension uses a content script to run in the context of the web pages a user browses. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen. Chrome believes the real extension is installed, as verified by the Launch App button. When taking a look at the Chrome extensions page, we can see the extension installed there with the ID "lbfehkoinhhcknnbdgnnmjhiladcgbol," just like the real Evernote Web extension.Ĭlicking "Visit website" directs the user to the chrome webstore page for the actual Evernote Web extension. The extension that's installed is called "Evernote Web," just like the real extension from.
#EVERNOTE CHROME EXTENSION WINDOWS 7#
The picture shows these files installed in Chrome's extension directory on a Windows 7 PC.įor Google Chrome, the installation of the web extension is achieved by updating the "Preferences" file, which is a json-formatted file used to configure Chrome user preferences. The extension takes the form of three obfuscated JavaScript files and one HTML file. When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. Fellow researchers can find the link to this sample on VirusTotal here.Ī quick look shows the PUP is digitally signed by "Open Source Developer, Sergei Ivanovich Drozdov", although the certificate has since been revoked by the issuer. This serves as another reminder that you can't always trust a program just because it's digitally signed. Recently a Malwarebytes researcher informed me of a Multiplug PUP that installs a fake Evernote browser extension.
0 kommentar(er)
