CacheFlow

A threatening campaign that has been distributing a malware payload named CacheFlow has been active since at least 2017. The operation has managed to remain under the radar of infosec researchers due to extensive detection-avoidance techniques mostly. The campaign's scope involved the release of dozens of corrupted browser extensions for Google Chrome and Microsoft Edge. Gathered data suggests that these extensions have a total download count of over three million. According to an analysis performed by the researchers, the countries with the most affected users are Brazil, Ukraine and France.

The first extensions attributed to this attack campaign was named 'Video Downloader for FaceBook™' and worked on Chrome. Information about it was released in a blog post by Edvard Rejthar from CZ.NIC. Apparently, the extension was executing an obfuscated JavaScript code that performed tasks way outside of the expected functionality listed in the extension's advertisements. Subsequently, dozens of other extensions were observed to do the same. Although most of them do possess a certain degree of legitimate functionalities, such as allowing users to download videos from popular social media platforms, this group of extensions' main goal is to deliver the CacheFlow payload.

When deployed, CacheFlow could perform several threatening operations on the compromised system. It can harvest sensitive user data such as birth dates, email addresses, geolocation, search queries and information about clicked URLs. However, the payload extracted birth dates only from the user's Google account, with researchers finding no attempts to do the same for Microsoft accounts. In addition to data collection, CacheFlow established two separate routines - one for hijacking clicks while the other is responsible for modifying search results. When victims click on any link, the threat sends information about it to a specific address - orgun.johnoil.com and waits for a response. If the attackers send the required command, CacheFlow can then redirect the user to a different URL altogether. The second functionality is triggered when users perform a search from the page of either Google, Yahoo or Bing. CacheFlow will then collect the search query and the produced results and send the information to its Command-and-Control (C2, C&C) servers. By receiving the appropriate command, the threat could then alter some of the displayed results.

Novel Evasion and Obfuscation Techniques Kept CacheFlow Out of Sight

The most distinguishing aspect of the threat, however, is its determination to remain hidden. The hackers have implemented into CacheFlow some rarely or never-before-seen techniques for avoidance-detection. The extension will start executing its threatening programming after lying dormant for three days on the infected system. And even then, it will escalate the attack only if several checks are passed successfully. The goal of the hackers is to avoid infecting tech-savvy users such as those working as web developers. To determine if this is the case, CacheFlow first checks the other installed extensions on the system and compares them against a hardcoded list of extension IDs. Each extension has a specific score assigned to it, and if the total sum surpasses a predetermined value, the payload sends the collected information to the C&C server for further instructions. The cybercriminals can then decide to escalate the attack or stop the threat from continuing with its programming.

Another factor that could cause CacheFlow to shut down itself is if the victim is caught using the browser developer tools. A separate routine checks if the victim attempts to dig a bit deeper into the threatening campaign by googling one of the C&C domains. This activity would then be reported to the attackers.

To hide all of the communication traffic between itself and the C&C infrastructure, CacheFlow employs a rather unique technique that involves using the Cache-Control HTTP header of the analytics requests to establish a hidden channel.