LetsDefend — SOC202 — FakeGPT Malicious Chrome Extension Investigation Walkthrough

Investigating a Malicious Chrome Extension inside a simulated SOC

Drew Arpino
12 min readSep 1, 2024
Image Credit: https://letsdefend.io/

Introduction:

Ever wondered what it’s like to be a Security Operations Center (SOC) analyst or how to approach investigating a malicious Google Chrome extension? If so, you’ve stumbled on the right blog!

Welcome to my weekly walkthrough! This week, we’re taking a break from the usual challenge write-up format to tackle the
SOC202 — FakeGPT Malicious Chrome Extension “alert” from LetsDefend.

Why the quotes? Well, in addition to scenario-based challenges, LetsDefend provides realistic alert scenarios in a simulated SOC to provide a hands-on experience with a SOC analyst’s workflow!

In this walkthrough, we’re going to go through the full triage of a simulated alert for a malicious Chrome extension installed onto a victim’s device. The triage process will include:

  • Taking ownership of the alert.
  • Investigating endpoint logs to understand if the file was detected and quarantined by the antimalware solution.
  • Leveraging external threat intelligence for context about the suspicious extension.
  • Hunting through network logs to determine if the extension contacted the command and control server.
  • Documenting discovered artifacts, creating case notes, and closing the alert.

We’ve got a full plate here, so I hope you’re hungry to learn. Let’s get started — thanks for joining me!

Challenge Link: https://app.letsdefend.io/monitoring

Alert Scenario:

Task 1 — We’re on the case:

First thing’s first. Before we can dive into the investigation, we’ll need to assign the SOC202 — FakeGPT Malicious Chrome Extension alert to ourselves and create a case where we manage our workflow, artifacts, and notes.

From the Monitoring > Main Channel tab, let’s take the alert from the “queue” and assign it to ourselves.

Then, from the Monitoring > Investigation Channel we’ll create the case:

Press Continue and we’ll be taken to the Case Management tab where we’ll keep track of our case and initiate the incident response playbook for this event.

Pro Tip: We’ll need to keep the Case Management window open to manage the playbook steps and to answer questions, but you’ll also need access to the various tabs (Log Management, Endpoint Security, etc.) on your dashboard available during the investigation. So, it’s best to open two tabs/windows in your browser so you can keep the case open on one and investigate with the other.

Now that we have the case opened, let’s follow the playbook and start our investigation!

Task 2: Check if the malware is quarantined/cleaned

Okay, once we click “Start Playbook!” we’re jumping right into the investigation and the first step is to the Define Threat Indicator we’re investigating. While we have a couple of pre-made choices to select from, none of them are a good fit since the indicator that triggered the alert is a suspicious browser extension or potential malware, so we’ll select Other.

Now, following the playbook, the first step we’ll take is to determine if the malware has been quarantined/cleaned or if it’s currently active. Reviewing the triggered reason, Suspicious extension added to the browser, the action was allowed. Because of this action we might already assume the file wasn’t quarantined. It’s a good start, but it’s always the best practice to double-verify with the available logs.

So, let’s go a bit deeper and dive into data to understand what happened. To do this, we have a couple of logging sources at our disposal: Log Management & Endpoint Security. Since we’re searching for an Antivirus action, let’s focus on the Endpoint Security logs first since that is the place to find endpoint-level malware logging.

But first, let’s refer back to the alert to recall the victim’s hostname and IP address:

Hostname: Samuel & IP Address: 172.16.17.173

Now, we can begin searching the Endpoint Security log for Samuel’s workstation, correlating the events, and looking for any hits that the malicious extension was quarantined by the endpoint’s antimalware solution.

It’s personal preference, but I’m going to change the results display drop-down from 10 to 20 to see all the log entries on one page. I also like to switch the Event Time column to descending (DESC) order — your choice though!

Next, let’s look at the Process Logs. Here we’ll find an event for Google Chrome (chrome.exe) where the suspicious extension (.crx) was opened with the browser with a timestamp that matches the alert. This establishes a point in time so that we can search the logs of events that occurred after this timestamp.

Finally, let’s focus now specifically on events from Microsoft Defender to see if any quarantine action was taken. But how do we know the endpoint is using Microsoft Defender? Notice the event right after the chrome.exe event we looked at earlier. The file path of the executable is a nice hint, but browsing the process names we’ll see MpCmdRun.exe which is the command-line tool component of Microsoft Defender Antivirus.

So, putting this all together, if we filter the Microsoft Defender process name and look for events after the malware was run, this will help us understand if Defender took any actions against the malicious file.

Based on the command line data, the three entries seem related to signature update jobs and are not quarantine actions. Between the Process events and the allowed action in the alert, we have enough evidence to confirm that the malware was Not Quarantined. Let’s go back to our Case Management tab, select the answer, and move on to the next step in the workflow.

Task 3: Analyze malware in 3rd party tools and find C2 address

Now that we’ve determined that the suspicious extension was not quarantined by the endpoint’s antimalware solution, we’ll need to analyze it further using the provided tools to determine if it is indeed malicious or not.

The playbook suggests the following web-based services that we can use to gather threat intelligence about the extension:

First, let’s jump back to the Alert in the Monitoring > Investigation Channel so we can copy the File Hash of the malicious extension.

If you aren’t familiar with file hashes, here’s a brief description from Microsoft:

A hash value is a unique value that corresponds to the content of the file. Rather than identifying the contents of a file by its file name, extension, or other designation, a hash assigns a unique value to the contents of a file. File names and extensions can be changed without altering the content of the file, and without changing the hash value. Similarly, the file’s content can be changed without changing the name or extension. However, changing even a single character in the contents of a file changes the hash value of the file.

So, put another way, using the file hash of the suspicious extension during our searches means that we’re getting data about the identical, exact file that was installed on Samuel’s workstation giving us a high degree of confidence compared to searching a file name or something easy to manipulate.

File Name: hacfaophiklaeolhnmckojjjjbnappen.crx

File Hash:
7421f9abe5e618a0d517861f4709df53292a5f137053a227bfb4eb8e152a4669

Let’s start with the first service on the list, ANY.RUN. Here, we can search for that file hash, view previous public submissions, and dive into the analysis results. Let’s check out the result with the closest timestamp to the Event Time (May 29, 2023, 01:01 PM) of the alert.

Scrolling through the screenshots, we’ll get a better idea of what this extension is — a suspicious looking ChatGPT extension.

This finding also matches something we can observe back in Samuel’s Endpoint Security > Browser History logs.

While we’ve gotten some more context, nothing was explicitly flagged as malicious on ANY.RUN so let’s pivot and check out the next service on the list, VirusTotal.

After submitting the file hash to VirusTotal and reviewing the available tabs, we still have no hits indicating concretely that this extension is malicious but what we do have is a comment in the Community tab linking to an external report from Guardio.

This could be a lead! Let’s check out the report.

Reading the post, assessing the screenshots, and reviewing the indicators of compromise (IOCs) listed in the article, it also doesn’t seem to match any of the artifacts that we have located so far in the investigation…

But pay close attention to the update note at the top of the article — let’s see what the update has to offer.

Update: March 22, 2023Guardio Labs discovered another variant in this FakeGPT campaign, abusing open-source code and yet again hijacking Facebook profiles — read about it here.

Okay! Based on the screenshots in the second report, this variant already looks familiar based on what we observed on Any.Run! Let’s focus on the IOCs listed at the bottom of the article.

https://labs.guard.io/fakegpt-2-open-source-turned-malicious-in-another-variant-of-the-facebook-account-stealer-d00ef9883d61

Now we’re getting somewhere! The Malicious Extension ID matches the one from the alert and now we have some URLs we can hunt for in our Log Management. Since we’ve now located known malicious IOCs that match the artifacts we found on the victim’s system, this confirms that the extension is a malicious, FakeGPT stealer extension.

Task 4: Check if Someone Requested the C2

The next step in our workflow is needing to determine that after the malicious extension was installed if it requested the Command and Control (C2) server address or not.

To do this, we’re going to use the Log Management module to analyze relevant network traffic from Samuel’s device to see if we can find evidence that it contacted the C2 Server IOC that we found in the Guardio post.

Navigate to the Log Management tab, and toggle from the “Pro” filter to the “Basic” filter:

Then, search for the C2 Server from the IOC list to see if we get any hits in our own logs:

Uh-oh — we have two hits! Recall that Samuel’s source (SRC) IP address is 172.16.17.173 so we know that we’ve found the right entries for his device. Click the first entry to see the Raw Log for more details:

The presence of this DNS query confirms that chrome.exe on Samuel’s device requested the C2 domain that we learned about from the Guardio report. Additionally, we also have two IP addresses that this domain resolves to — let’s confirm this with VirusTotal:

https://www.virustotal.com/gui/domain/version.chatgpt4google.workers.dev/relations

To be thorough, we can also search for the Landing Page IOCs to gather more artifacts for the investigation:

Okay, now that we’ve investigated the logs and found hits for a Landing Page and the C2 server, let’s register that the C2 was accessed and continue through the workflow.

Task 5: Containment

Now that we have confirmed that the file is malicious and it was not quarantined by the antimalware, we’ll need to contain Samuel’s device to prevent any further negative impact so that we can remediate the threat.

To do this, we’ll go back to the Endpoint Security tab, search for Samuel, and trigger the containment action.

Task 6: Report and Close the Case

Okay, we’re closing in on the end of the investigation! The next step in the playbook is to recap the evidence, or artifacts, that we discovered on the victim’s system throughout the investigation.

  1. The first artifact will be the file hash of the malicious extension. The alert provided the SHA256 file hash, but we need to input the MD5 hash into our case. We can simply look back at the VirusTotal entry for the malicious extension and copy it from there.
9cc6c26bd215549c39ba5b65e9eec9ea

2. Next, we will enter the Chrome Store URL address for the malicious extension. In Task 3, we found this in Samuel’s Browser History and within the Guardio report.

https://chrome.google.com/webstore/detail/chatgpt-for-google/hacfaophiklaeolhnmckojjjjbnappen

3. Next, we’ll enter the C2 Server URL Address and the 2x DNS resolved IP Addresses that we discovered in Tasks 3 & 4:

version.chatgpt4google.workers.dev
104.21.63.166
172.67.147.243

4. Finally, we can also add the additional landing pages from the IOC report that we also found with the Log Management data in Task 4. Adding these would reduce the risk of any other user downloading the malicious extension.

chatgptforgoogle.pro
52.76.101.124
3.1.17.18
18.140.6.45

Next, after putting in our list of artifacts, it’s time to input some good Analyst Notes to summarize our findings. These notes will accompany our list of IOCs when we file our case report:

Finally, with our report filed, we can now officially close the alert from the Investigation Channel! Great job tackling this investigation from start to finish — let’s wrap this thing up.

Conclusion:

And there we have it — mission accomplished!

As we wrap up the SOC202 — FakeGPT Malicious Chrome Extension alert, let’s recap what we discovered. Through our investigation of the endpoint logs, we identified a suspicious Chrome extension that was allowed to run. Then, we pivoted to external threat intelligence to provide further context, eventually stumbling on the Guardio report, which confirmed that the extension is malicious. Finally, we hunted for the IOCs from the same report in the network logs, to uncover communication with the command and control server, which confirmed our findings.

Now, you can review your answers in the Closed Alerts tab and review your report from the Case Management tab. Awesome job!

A big thank you to LetsDefend for providing such a cool, in-depth simulation platform. Their platform continues to be a helpful and fun resource for sharpening my cybersecurity skills and staying ready for the next alert. If you found this walkthrough helpful in leveling up your skills or getting you through a tricky challenge, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!

Until next week’s challenge — stay curious and be safe out there!

Tools & References:

Microsoft Learn (mpcmdrun.exe): https://learn.microsoft.com/en-us/defender-endpoint/command-line-arguments-microsoft-defender-antivirus

Microsoft Learn (File Hash): https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.4#description

Any.Run: https://app.any.run/

Any.Run Task: https://app.any.run/tasks/99055672-d173-4fd6-afc2-7a45c84c3448/

VirusTotal: https://www.virustotal.com/

Guardio “FakeGPT”: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs: https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-stealing-facebook-ad-accounts-with-4c9996a8f282

Guardio “FakeGPT” #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer Chrome Extension: https://labs.guard.io/fakegpt-2-open-source-turned-malicious-in-another-variant-of-the-facebook-account-stealer-d00ef9883d61

MITRE ATT&CK — Command and Control (TA0011): https://attack.mitre.org/tactics/TA0011/

--

--