Jump to content

Dark Reader plugin contains malware (browser Hijacker)

cutting_edgetech
 Share

Recommended Posts

cutting_edgetech

cutting_edgetech

Posted
Posted (edited)

My browsers recently began getting hijacked when visiting certain sites after installing the extension Dark Reader on Firefox, Waterfox, and Librewolf. It wasn't immediately obvious that Dark Reader was the culprit since it only happened when visiting certain sites, and I had to be actively using elements on the site for a few minutes before the hijacking would begin to occur. It would work by hijacking every element and link on the website and redirecting it to various links on furiousfar.com. I also had unknown write and code execution attempts originating from my browser that were being blocked by AppGuard. I looked at some code in my browser, and it appeared my browser was being enumerated for vulnerabilities. I'm fairly certain that Dark Reader is at the very least a browser hijacker, since the hijacking stopped immediately after uninstalling Dark Reader (4 days ago).

I took some screen shots of some code from by browser at the time my browser (LibreWolf) was hijacked. One could not click on a single element on the page without being hijacked, and redirected to furiousfar.com  Below are some screenshots of the code running in my browser when I was hijacked and redirected to furiousfar.com The hijacking code in the first and last image appears to belong to Dark Reader, but i'm not sure about the code in the center image. It looks like some enumeration of my browser and OS could be occurring. Enumerations can be good or bad, but in this case, I believe the enumeration could have malicious intent. Well, I believe the code below in the first and last image points to Dark Reader as being the culprit of the browser hijacking.

I am using Windows 10 X64 21H2, and I believe I was using LibreWolf 106.0.1 and Firefox 106.0.2 during the time of the hijacking.

 

browser hijack.png

hijack2.png

hijack3.png

Edited by cutting_edgetech
Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Thank You

Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats in the form of disk files.

Malware Hunters group
Purpose of this forum

 

Link to post
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
  • Author
Posted
18 minutes ago, David H. Lipman said:

Thank You

Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats in the form of disk files.

Malware Hunters group
Purpose of this forum

 

Thank you, I read the links you suggested, but I'm still not sure how to submit a browser extension. I could submit the url or webpage that contains the browser extension. I don't know how to get the extension without installing it again, and this is not a test machine.  I could also let them know which website to use the browser extension with that triggers the malicious behavior.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Well, there is nothing that can be done off of Graphics and a Textual monologue.

Malwarebytes needs physical samples to create Heuristic and signature detections.

I suggest you have your PC checked out b y a Forum Helper.  If there is something, maybe they can help you capture something that can be submitted.

Please reference;  I'm infected - What do I do now?

Then create a post in;  Windows Malware Removal Help & Support

Link to post
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
  • Author
Posted (edited)

Here is the url to the malicious extension. 

https://addons.mozilla.org/en-US/firefox/addon/darkreader/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search

 

VirusTotal Results. https://www.virustotal.com/gui/url/3a8a67e6a6cf95bb6a777080363d22522a7b81a388c535429e8d3c9a0f3c9909

If you use the extension on the following website, then your browser should eventually start getting hijacked. It may take a while before the hijacking begins to occur.  

https://rarbg.to/torrents.php

 

Edited by AdvancedSetup
Disabled live hyperlinks
Link to post
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
  • Author
Posted
1 minute ago, David H. Lipman said:

Well, there is nothing that can be done off of Graphics and a Textual monologue.

Malwarebytes needs physical samples to create Heuristic and signature detections.

I suggest you have your PC checked out b y a Forum Helper.  If there is something, maybe they can help you capture something that can be submitted.

Please reference;  I'm infected - What do I do now?

Then create a post in;  Windows Malware Removal Help & Support

I'm fairly certain the extension is what is malicious. I already rolled my computer back, so should be no infection remaining. I thought Malwarbytes would be interested in installing the extension themselves, and doing their own test. The extension is recommended by Mozilla, and has a large user base. Poor users, don't even know they have a malicious extension installed.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

You posted a Mozilla URL to Virus Total.  That will yield false information.  Mozilla is not malicious.

Mozilla Add-ons for Thunderbird and Firebird are XPI files.
This is the XPI file.

https://www.virustotal.com/gui/file/202eccf8088bd2842158f5fe4f4b751217a05b2f0ada02057c16314c174df01b/detection

Zero Detections.

 

darkreader-4.9.60.zip

Link to post
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
  • Author
Posted
1 minute ago, David H. Lipman said:

You posted a Mozilla URL to Virus Total.  That will yield false information.  Mozilla is not malicious.

Mozilla Add-ons for Thunderbird and Firebird are XPI files.
This is the XPI file.

https://www.virustotal.com/gui/file/202eccf8088bd2842158f5fe4f4b751217a05b2f0ada02057c16314c174df01b/detection

Zero Detections.

 

darkreader-4.9.60.zipUnavailable

I see what you mean. I should have copied the url pointing to the XPI file. Thank You. I will know to do that if I run into another malicious extension.

Link to post
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
  • Author
Posted
Just now, David H. Lipman said:

I am moving this thread to;  Windows Malware Removal Help & Support

If there is something causing redirects, it may not be the Firefox add-on and someone help you remove whatever it is.

Ping  @AdvancedSetup

There is no need for that. All malicious activity stopped as soon as I uninstalled Dark Reader extension, and I rolled my computer back to a time before I ever installed Dark Reader. I have experience removing malware, i'm just not familiar with Malwarebytes procedures. I have a degree in IT with a minor in information Security.

Link to post
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
  • Author
Posted (edited)
6 minutes ago, David H. Lipman said:

Are you sure ?

Otherwise I'll close the thread.

 

I am sure, you can close the thread. I will report it to Mozilla, and Eset once I have time. I hope Malwarebytes decides to look into this further. I thought they would want to install the extension for themselves, and do their test.

Edited by cutting_edgetech
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.