Home > Cyber News > Droidclub Botnet Infiltrates Machines Via Google Chrome Extensions

Droidclub Botnet Infiltrates Machines Via Google Chrome Extensions

Droidclub Botnet image

A new security report indicates that the newly discovered DroidClub Botnet infects targets via malware Google Chrome extensions. According to the analysis the virus has already managed to infect more than half a million users worldwide through multiple instances that are active on the official plugin repository hosted by Google. The infections lead to devastating consequences, continue reading to find out more about the nature of the threat and how you can protect yourself from incoming attacks.

The Droidclub Botnet Attacks Spread Through Google Chrome Malware Extensions

Another day and another malware attack has been reported. We have just received reports of a new worldwide threat called the Droidclub Botnet that is rapidly being distributed to targets worldwide. The large-scale campaigns have managed to infect around half a million computer users in a short period which makes it among the most deadly infections in the past few weeks. At the moment the primary method relies on distributing malware plugins for Google Chrome. This is a tactic that is widely used for simpler redirect sites where the code can be made compatible for other applications as well: Mozilla Firefox, Safari, Opera, Internet Explorer and Microsoft Edge for example. The criminals behind the attack use counterfeit developer identities and fake user reviews in order to boost the popularity of the entries.

The security report reveals that at the moment there are a total of 89 separate entries found on the official Chrome Web Store. Google is actively removing them as they are reported however newer variants can be easily created by the criminal group. The known command and control servers are also being denied access by the Cloudflare content delivery network.

Various techniques can be used to redirect the users to the browser extensions. The criminals may opt to send email spam messages that utilize social engineering tactics:

  • Hyperlinks — The hackers can embed links in the messages that coerce the victims into installing the malware plugins.
  • File Attachments — The malware plugin setup files can be directly embedded as file attachments.
  • Counterfeit Document Scripts — The criminals can opt to send malware documents of various types (rich text documents, spreadsheets and presentations) that contain malware scripts. Once they are opened by the intended targets a notification prompt appears which asks the victims to enable the built-in commands. If this is done the malware is installed automatically.
  • Malware Software Installers — This type of infections rely on software installers that are modified to include the Droidclub botnet code.

One of the major browser plugins that were found to be part of the distribution scheme is the Croissant French Toast extension — click here to learn how to remove it.

Related Story: The Hide ’n Seek IoT Botnet Uses P2P to Target Devices

Droidclub Botnet Infection Behavior

Once the Droidclub botnet is installed in the Google Chrome browser it starts to communicate with the predefined command and control (C&C) servers to receive the latest malware configuration settings. It then proceeds by injecting special scripts in the viewed pages. It can be used to institute various surveillance technologies to gather data from the victims. There are two main types of data that can be hijacked by the hackers:

  • Anonymous Metrics — This type of information is composed mainly of data that is used by the operators to rate how effective the campaign is. Example of the harvested data includes hardware components, operating system version, regional settings and web browser configuration settings.
  • Personally-identifiable Information — The criminals automatically acquire a detailed set of the victim’s data that can directly expose them. This includes their names, preferences, address, telephone number, account credentials and passwords.

As the Droidclub botnet automatically injects code into the active web pages they can also spy on all user interactions. The security analysts report that new tabs and pop-ups are also displayed that display ads and banners that generate income for the hacker operators. They can be used to redirect the victims to sites that host malware and other viruses.

A dangerous is also instituted which generates income for the hacker operators. The current versions utilize the Coinhive Monero miner.

Consequences of the Droidclub Botnet Infections

The redirect code and cryptocurrency miners represent only a small part of the possible malware outcome. The criminals can utilize the virus to boost traffic to malware or sponsor sites. During the initial intrusion the configuration file can vary according to the users and certain set variables such as their location. One of the reasons why the information gathering module is started and a complete profile of the victim users is created is to optimize the advertising content delivery. The criminals can also take advantage of the web scripts by automatically hijacking form data as it is entered by the victims. As a result the criminals can intercept their banking card data if any online payments are made.

The Droidclub botnet is capable of installing exploit kits as well. They test the computer for various vulnerabilities and if any are found can institute other viruses. This includes both ransomware strains that encrypt sensitive information and blackmail the victims for a decryption fee, as well as Trojans that allow the controllers to spy on the victims in real time. Using such tactics the hackers can overtake control of the machines at any given time.

Similar infections can be used to recruit the compromised hosts into worldwide botnet networks. They are used to launch distributed denial of service attacks against high-profile targets. Depending on the case they can be used by the hackers or loaned to others for a fee.

An interesting feature of the malware code is the fact that it is installed using a persistent state of execution. If the plugin detects that the users want to delete it they are automatically redirected to the extension’s introduction page. This tactic is used to manipulate the victim into thinking that they have removed the plugin while at the same time it remains active.

We highly recommend that all computers users scan their system for active infections using a quality anti-spyware solution.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree