ledger_发现针对Ledger，Trezor，MEW，Metamask等用户的虚假浏览器扩展

本文主要是介绍ledger_发现针对Ledger，Trezor，MEW，Metamask等用户的虚假浏览器扩展，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

ledger

动机和目的 (Motivation and Purpose)

We keep an eye on the type of attacks that come to cryptocurrency users on a daily basis and often write about our findings to help educate the community. We’ve seen various types of attacks on users, ranging from simple trust-trading scams to SIM hijacking to compromising and stealing funds from exchange accounts.

我们会密切关注加密货币用户每天遭受的攻击类型，并经常写下我们的发现以帮助教育社区。我们已经看到了对用户的各种类型的攻击，从简单的信任交易骗局到SIM卡劫持，再到从交易帐户中窃取和窃取资金，不一而足。

Image for post — An example of a malicious extension being delivered via Google Ads

Recently, we’ve come across big campaigns pushing fake browser extensions to users and targeting well-known brands via Google Ads and other channels. Whilst this is not a new attack vector — and we’ve written about malicious browser extensions before — the brands targeted are new.

最近，我们遇到了一些大型活动，这些活动向用户推销假冒的浏览器扩展，并通过Google Ads和其他渠道定位知名品牌。尽管这不是新的攻击手段，而且我们之前已经写过有关恶意浏览器扩展的文章，但目标品牌是新的。

The goals of the research are:

研究的目标是：

Educate “everyday-users” on what the different attack vectors are
教育“日常用户”了解不同的攻击媒介
Report on big campaigns to make people aware
报告大型运动以使人们意识到
Give “everyday-users” real-life examples of attacks so they are more likely to enforce security controls on their assets
提供“日常用户”攻击的真实示例，使他们更有可能对其资产实施安全控制
Help shut down scam campaign infrastructure
帮助关闭欺诈活动基础设施
Gather intelligence to feed into custom tools to help detection before victims are made
收集情报以输入定制工具中，以帮助在受害者遇难之前进行检测

总览 (Overview)

We have found a range of extensions targeting brands and cryptocurrency users. Whilst the extensions all function the same, the branding is different depending on the user they are targeting. The brands we’ve found targeted with malicious extensions are:

我们发现了一系列针对品牌和加密货币用户的扩展。扩展名的功能相同，而品牌根据目标用户的不同而不同。我们发现与恶意扩展有关的品牌是：

Ledger <https://www.ledger.com/>
分类帐<https://www.ledger.com/>
Trezor <https://trezor.io/>
Trezor <https://trezor.io/>
Jaxx <https://jaxx.io/>
Jaxx <https://jaxx.io/>
Electrum <https://electrum.org/>
Electrum <https://electrum.org/>
MyEtherWallet <https://myetherwallet.com>
MyEtherWallet <https://myetherwallet.com>
MetaMask <https://metamask.io>
MetaMask <https://metamask.io>
Exodus <https://www.exodus.io/>
出埃及记<https://www.exodus.io/>
KeepKey <https://shapeshift.io/keepkey/>
KeepKey <https://shapeshift.io/keepkey/>

Essentially, the extensions are phishing for secrets — mnemonic phrases, private keys, and keystore files. Once the user has entered them, the extension sends an HTTP POST request to its backend, where the bad actors receive the secrets and empty the accounts.

本质上，扩展名是网络钓鱼的秘密-助记词，私钥和密钥库文件。用户输入密码后，扩展程序将向其后端发送HTTP POST请求，不良行为者将在此接收秘密并清空帐户。

We’ve identified 14 unique C2s (also known as a command & control server that continues to communicate with your compromised system) but by using fingerprinting analysis, we can link specific C2s to each other to conclude which of the phishing kits have the same bad actor(s) behind them. Some kits sent the phished data back to a GoogleDocs form. However, most hosted their own backend with custom PHP scripts. The C2s identified are:

我们已经确定了14个独特的C2 (也称为继续与受感染系统通信的命令和控制服务器)，但是通过使用指纹分析，我们可以将特定的C2相互链接，以得出哪些网络钓鱼工具包具有相同的弊端他们背后的演员。一些工具包将诱骗的数据发送回GoogleDocs表单。但是，大多数使用自定义PHP脚本托管了自己的后端。确定的C2为：

analytics-server296.xyz
analytics-server296.xyz
coinomibeta.online
共同在线
completssl.com
completssl.com
cxext.org
cxext.org
ledger.productions
分类帐
ledgerwallet.xyz
ledgerwallet.xyz
mecxanalytic.co
mecxanalytic.co
networkforworking.com
networkforworking.com
trxsecuredapi.co
trxsecuredapi.co
usermetrica.org
usermetrica.org
walletbalance.org
walletbalance.org
ledgers.tech
分类帐
vh368451.eurodir.ru
vh368451.eurodir.ru
xrpclaim.net
xrpclaim.net

Whilst some of the domains are relatively old, 80% of the C2s were registered in March and April 2020 (an even split). The oldest domain (ledger.productions) has the most “connections” to other C2s in terms of fingerprints, so we have some indication of the same backend kit (or same actors behind this) for the majority of the extensions.

尽管某些域相对较旧，但80％的C2在2020年3月和2020年4月进行了注册(均分)。就指纹而言，最旧的域(ledger.productions)与其他C2的“连接”最多，因此对于大多数扩展，我们都有一些迹象表明相同的后端工具包(或背后的参与者)。

We’ve also inspected some of the other C2s for common log files, and whilst most of them did not have them available on the web root, some issuing 403’s, there was one that belonged to trxsecuredapi.co that gave some small insight (if we take it all at face value):

我们还检查了其他一些C2的常见日志文件，尽管其中大多数C2在Web根目录上均不可用，但有些发行了403，但trxsecuredapi.co的其中一个提供了一些小建议 (如果我们以面值计)：

The server used for this C2 is trxsqdmn
用于此C2的服务器是trxsqdmn
The admin email follows this mask: “b — 0@r — r.ru” — potentially indicating Russia-based actors
管理员电子邮件使用以下掩码：“ b — 0 @ r – r.ru” —可能表示俄罗斯演员
The first log was 29-Mar-2020 10:43:14 America/New_York
第一个日志是2020年3月29日10:43:14美国/纽约
The C2 hosts files other than those to collect the phished secrets
C2托管除收集恶意信息外的其他文件

Below is a video of how a malicious extension targeting MyEtherWallet users works. It looks the same as your typical MyEtherWallet experience until you type in your secrets. After you’ve submitted them, the malicious application sends your secrets back to the server controlled by the bad actor(s) before sending you back to the default view, and then does nothing, resulting in either:

以下是有关针对MyEtherWallet用户的恶意扩展如何工作的视频。除非您输入秘密，否则它看起来与典型的MyEtherWallet体验相同。提交它们之后，恶意应用程序会将您的秘密发送回由不良行为者控制的服务器，然后再将您发送回默认视图，然后什么也不做，结果是：

A user getting frustrated and submitting secrets again (maybe even different ones)
用户感到沮丧并再次提交秘密(甚至可能是不同的秘密)
A user uninstalling the extension and forgetting about the ramifications of typing their secrets until their wallet is drained of funds — which most likely will be after the extension is removed from the store so they cannot investigate where their security hole was.
用户卸载扩展程序而忘记了输入密码直到钱包里的钱用尽的后果，这很可能是在将扩展程序从商店中取出后使他们无法调查其安全漏洞的位置。

Some of the extensions have had a network of fake users rate the app with 5 stars and give positive feedback on the extension to entice a user to download it. Most of the positive feedback by bad actors were low quality, such as “good,” “helpful app,” or “legit extension.” One extension did stand out by having the same “copypasta” around 8 times, authored by different users, sharing an introduction into what Bitcoin is and explaining why the [malicious] MyEtherWallet was their preferred browser extension (Note: MEW doesn’t support Bitcoin).

有些扩展程序具有虚假用户网络，该应用程序对应用程序评分为5星，并对该扩展程序给出正面反馈，以诱使用户下载该应用程序。不良行为者的大多数正面反馈都是低质量的，例如“好”，“有用的应用”或“合法扩展”。一个扩展确实引人注目，它具有大约8次由不同用户编写的相同“ copypasta”，由不同用户编写的内容，对比特币的介绍，并解释了为什么[恶意] MyEtherWallet是他们首选的浏览器扩展(注意：MEW不支持比特币) )。

There was also a network of vigilant users who wrote legitimate reviews about the extensions being malicious — however, it is hard to say if they were victims of the phishing scams themselves, or just helping the community to not download.

还有一个由警惕的用户组成的网络，他们对扩展的恶意性进行了合法的评论-但是，很难说他们是网络钓鱼诈骗的受害者，还是只是帮助社区不下载。

Google Webstore has a report section and with our reports and with the assistance of PhishFort, we’ve had the extensions removed within 24 hours.

Google Webstore有一个报告部分，在PhishFort的帮助下，借助我们的报告，我们已在24小时内删除了这些扩展程序。

An analysis from our dataset suggests the malicious extensions started to hit the store slowly in February 2020, increased releases through March 2020, and then rapidly released more extensions in April 2020.

来自我们的数据集的分析表明，恶意扩展在2020年2月开始缓慢进入商店，到2020年3月增加了版本，然后在2020年4月Swift发布了更多扩展。

February 2020: 2.04% were published in this month from our dataset
2020年2月：本月从我们的数据集中发布了2.04％
March 2020: 34.69% were published in this month from our dataset
2020年3月：本月从我们的数据集中发布了34.69％
April 2020: 63.26% were published in this month from our dataset
2020年4月：本月从我们的数据集中发布了63.26％

This means that either our detection is getting much better, or that the number of malicious extensions hitting browser stores to target cryptocurrency users is growing exponentially.

这意味着要么我们的检测变得越来越好，要么以浏览器商店为目标的加密货币用户的恶意扩展的数量呈指数增长 。

An analysis from our dataset suggests Ledger is the most targeted brand — without speculating, it’s hard to say why.

来自我们的数据集的分析表明，Ledger是最具针对性的品牌-无需猜测，很难说为什么。

Ledger — 57% of malicious browser extensions in our dataset
分类帐 -我们数据集中恶意浏览器扩展的57％
MyEtherWallet — 22% of malicious browser extensions in our dataset
MyEtherWallet-我们数据集中恶意浏览器扩展的22％
Trezor — 8% of malicious browser extensions in our dataset
Trezor-数据集中恶意浏览器扩展的8％
Electrum — 4% of malicious browser extensions in our dataset
Electrum-我们数据集中恶意浏览器扩展的4％
KeepKey — 4% of malicious browser extensions in our dataset
KeepKey-我们数据集中恶意浏览器扩展的4％
Jaxx — 2% of malicious browser extensions in our dataset
Jaxx-我们数据集中恶意浏览器扩展的2％

被盗的资金去了哪里？ (Where did the stolen funds go?)

We’ve sent funds to a few addresses and submitted the secrets to the malicious extensions. However, they were not automatically swept. This could be for a couple of reasons:

我们已经将资金发送到了几个地址，并将机密提交给了恶意扩展。但是，它们并没有自动被清除。这可能有两个原因：

The bad actors are only interested in high-value accounts
不良行为者只对高价值帐户感兴趣
The bad actors have to manually sweep accounts
不良行为者必须手动清除帐户

Even though our addresses weren’t swept, there have been public reports from users about losing funds to malicious browser extensions:

即使我们的地址没有被清除，也有用户公开报告称由于恶意浏览器扩展而损失资金：

https://support.google.com/chrome/thread/39247659?hl=en
https://support.google.com/chrome/thread/39247659?hl=zh_CN
https://redd.it/fws38m
https://redd.it/fws38m
https://forum.toshitimes.com/t/metamask-got-hacked/12767/3
https://forum.toshitimes.com/t/metamask-got-hacked/12767/3

If you suspect you have become a victim of a malicious browser extension, please file a report at https://cryptoscamdb.org/report/.

如果您怀疑自己已成为恶意浏览器扩展的受害者，请通过https://cryptoscamdb.org/report/提交报告。

我如何保持安全？ (How can I stay safe?)

Whilst there are many different attack vectors for everyday cryptocurrency users that are not limited to malicious browser extensions, the following will be addressing only the malicious browser extensions.

尽管日常加密货币用户有许多不同的攻击媒介，但不仅限于恶意浏览器扩展，以下将仅针对恶意浏览器扩展。

I am an everyday user of cryptocurrency.

我每天都是加密货币的用户。

Familiarize yourself with what permissions each of your browser extensions have by going to chrome://extensions/ and clicking on the “Details” tab for each extension.
前往chrome://extensions/ ，然后单击每个扩展的“详细信息”标签，以熟悉每个浏览器扩展的权限。
Understand the risks associated with each permission.
了解与每个许可相关的风险。
Consider removing the extension if it has permissions that you feel are out of scope of the extension use.
如果扩展名的权限超出了扩展名的使用范围，请考虑删除该扩展名。
Limit extensions to only execute on certain domains or when you click the extension icon in the top right corner of your browser.
将扩展名限制为仅在某些域上执行或单击浏览器右上角的扩展名图标。
READ: A fake anti-cryptominer targeting MyEtherWallet[.]com and Blockchain[.]com domains — https://medium.com/mycrypto/hunting-huobi-scams-662256d76720.
阅读：针对MyEtherWallet [。] com和Blockchain [。] com域的伪造的反加密货币— https://medium.com/mycrypto/hunting-huobi-scams-662256d76720 。
READ: A fake cashback extension targeting popular cryptocurrency exchanges — https://medium.com/mycrypto/the-dangers-of-malicious-browser-extensions-ef9c10f0128f.
阅读：针对流行的加密货币交易所的假现金返还扩展— https://medium.com/mycrypto/the-dangers-of-malicious-browser-extensions-ef9c10f0128f 。
Consider creating a separate browser user that you use solely for cryptocurrency data — this will limit any attack surface scope, and a separation of concerns (personal and cryptocurrency profiles), increasing the privacy related to your cryptocurrency profile.
考虑创建一个单独的浏览器用户，您只能将其用于加密货币数据，这将限制任何攻击面的范围，并将关注点分离(个人和加密货币配置文件)，从而增加了与加密货币配置文件相关的隐私。

I am a team/company providing a solution to everyday users.

我是为日常用户提供解决方案的团队/公司。

Consider monitoring the browser extension stores if your product meets the criteria we’ve seen targeted — by using either in-house monitoring or partnering with a third-party that will investigate and take down these extensions on your behalf.
如果您的产品符合我们的预期目标，请考虑监视浏览器扩展商店-通过使用内部监视或与第三方合作，第三方将代表您调查和删除这些扩展。
Remind and enforce users to stay safe with their secrets.
提醒并强制用户保持机密安全。
Deprecate the use of raw secrets (mnemonic phrases, keystore files, private keys) with your product and promote other signing mechanisms.
禁止在产品中使用原始机密(助记词，密钥库文件，私钥)，并推广其他签名机制。
Create a public list of all your products and links so users have a reliable source of trusted information.
创建所有产品和链接的公共列表，以便用户获得可靠信息的可靠来源。

IOCS (IOCS)

Extension IDs:

扩展ID：

afephhbbcdlgdehhddfnehfndnkfbgnm
agfjbfkpehcnceblmdahjaejpnnnkjdn
ahikdohkiedoomaklnohgdnmfcmbabcn
ahlfiinafajfmciaajgophipcfholmeh
akglkgdiggmkilkhejagginkngocbpbj
anihmmejabpaocacmeodiapbhpholaom
bhkcgfbaokmhglgipbppoobmoblcomhh
bkanfnnhokogflpnhnbfjdhbjdlgncdi
bpfdhglfmfepjhgnhnmclbfiknjnfblb
bpklfenmjhcjlocdicfadpfppcgojfjp
ckelhijilmmlmnaljmjpigfopkmfkoeh
dbcfhcelmjepboabieglhjejeolaopdl
dbcfokmgampdedgcefjahloodbgakkpl
ddohdfnenhipnhnbbfifknnhaomihcip
dehindejipifeaikcgbkdijgkbjliojc
dkhcmjfipgoapjamnngolidbcakpdhgf
effhjobodhmkbgfpgcdabfnjlnphakhb
egpnofbhgafhbkapdhedimohmainbiio
ehlgimmlmmcocemjadeafmohiplmgmei
epphnioigompfjaknnaokghgcncnjfbe
gbbpilgcdcmfppjkdociebhmcnbfbmod
glmbceclkhkaebcadgmbcjihllcnpmjh
gpffceikmehgifkjjginoibpceadefih
idnelecdpebmbpnmambnpcjogingdfco
ifceimlckdanenfkfoomccpcpemphlbg
ifmkfoeijeemajoodjfoagpbejmmnkhm
igkljanmhbnhedgkmgpkcgpjmociceim
ijhakgidfnlallpobldpbhandllbeobg
ijohicfhndicpnmkaldafhbecijhdikd
jbfponbaiamgjmfpfghcjjhddjdjdpna
jfamimfejiccpbnghhjfcibhkgblmiml
jlaaidmjgpgfkhehcljmeckhlaibgaol
kjnmimfgphmcppjhombdhhegpjphpiol
lfaahmcgahoalphllknbfcckggddoffj
mcbcknmlpfkbpogpnfcimfgdmchchmmg
mciddpldhpdpibckghnaoidpolnmighk
mjbimaghobnkobfefccnnnjedoefbafl
mnbhnjecaofgddbldmppbbdlokappkgk
nicmhgecboifljcnbbjlajbpagmhcclp
njhfmnfcoffkdjbgpannpgifnbgdihkl
noilkpnilphojpjaimfcnldblelgllaa
obcfoaeoidokjbaokikamaljjlpebofe
oejafikjmfmejaafjjkoeejjpdfkdkpc
ogaclpidpghafcnbchgpbigfegdbdikj
opmelhjohnmenjibglddlpmbpbocohck
pbilbjpkfbfbackdcejdmhdfgeldakkn
pcmdfnnipgpilomfclbnjpbdnmbcgjaf
pedokobimilhjemibclahcelgedmkgei
plnlhldekkpgnngfdbdhocnjfplgnekg

C2s:

C2s：

http://ledgerwallet.xyz/api.php
https://v1.ledgers.tech
https://coinomibeta.online/post/connexion.php
https://completssl.com/functions.php
https://completssl.com/ssnd_1.php
https://completssl.com/ssnd_el.php
https://completssl.com/ssnd_ex.php
https://completssl.com/ssnd_t.php
https://cxext.org/6721e14f0257a64f1f0a9114197d59ba/
https://docs.google.com/forms/d/1PXmiKeuYFdNS8D1q5yU1Cb7_9TwZQMbMCTl2PfSYhLI/formResponse
https://docs.google.com/forms/d/e/1FAIpQLSc1DTYAqXYnGTaUH0AIJa-rC2lk7V5nsE6tEdGIKXTKNm36HQ/formResponse
https://docs.google.com/forms/d/e/1FAIpQLScuQg9Rpct1ahMotYT12xBAt3MmcubQg-duV1a0BZ_vo1Tj4g/formResponse
https://ledger.productions/api_v1/
https://mecxanalytic.co/api_keystore.php
https://mecxanalytic.co/api_mnemonic.php
https://mecxanalytic.co/api_private.php
https://trxsecuredapi.co/api_ledger.php
https://usermetrica.org/api_v1/
http://vh368451.eurodir.ru/api/v1/
https://walletbalance.org/api_v1/
ws://analytics-server296.xyz:4367