LNKR Description

The LNKR malware is a threat that is a part of several Google Chrome extensions. Unfortunately, the Web browser add-ons in question have managed to bypass the security measures of the Google App Store and are hosted there currently. The extensions that are carrying the LNKR threat appear to have generated less than a thousand downloads, which means that they are yet to gain any popularity. To mislead users into installing the corrupted add-ons, the cybercriminals have used popular names that are well- known to the public. An example of this would be a corrupted Web browser extension named ‘Adobe Flash Player’ that carries the code of the LNKR malware.

As soon as the LNKR threat infiltrates your computer, it will be able to change the content of the sites that you visit. The LNKR malware is able to utilize targeted advertisements for its nefarious purposes. The LNKR threat also is capable of monitoring your behavior online and collecting data regarding your interests and habits. This malware’s goal is to present its victims with fake advertisements that look legitimate, and all the personal information collected about the target helps the LNKR threat to tailor more believable advertisements. The LNKR threat is able to insert JavaScript into opened Web pages - JavaScript could be used to interact with the users and ask them to enter data, so it is technically possible for the LNKR malware to engage in phishing attacks or plant credit card skimming code in payment pages.

The creators of the LNKR malware have taken serious measures to protect their anonymity and prevent cybersecurity analysts from uncovering their real identities. This is done by implementing a complex network infrastructure that is not easy to navigate through. A majority of the domain names associated with the LNKR malware are of Chinese origin. Despite this, malware researchers believe that the hacking group responsible for the LNKR threat is not located in China, but Eastern Europe.

How Does LNKR Spread?

LNKR infects computers through illegitimate browser extensions. These extensions install JavaScript code to pages visited by the user. The code allows the virus to record browser activity to identify the websites accessed most frequently in order to overlay ads on those sites to generate money.

LNKR is more efficient than the average malicious browser extension, however. The extension also checks for sites where the user has write-access, allowing them to edit web content. This access allows the threat to inject JavaScript code into a website directly to spread further and faster than regular browser extensions. LNKR hasn’t been seen to spread any JavaScript code other than its own installation package, but the fact it can inject JavaScript means the threat actors behind it could use it to install additional malware.

Tracing the Threat

Security experts were able to trace LNKR back to known command and control (C2) servers and use Host Pairs data sets to discover inventoried infrastructure connecting to the C2 servers.

These host pairs create a unique relationship between observed pages. The pairs include a parent and child connection and a cause to outline the relationship between those connections. The information gleaned from these pairs offers a lot of information about dependent requests, redirection sequences, and other actions pages take when loading. Host pairs are effective at tracking viruses because they help to understand the relationships between hosts using information from the actual page.

Security experts noticed that many websites were making calls to the LNKR C2 servers. They were able to track those requests down and discovered that the domains included in the requests matched that of LNKR.

How to Prevent LNKR And Other Browser Extensions

JavaScript is becoming increasingly common for attacks on retail, finance, manufacturing, and professional services. The individual user is also at risk of installing malicious extensions such as LNKR. Here are some things that you can do to help protect against them;

  • Remember that Less is More

    When it comes to avoiding malicious extensions, there’s nothing better than just reducing how many extensions you download and use. Only use the extensions you need. Don’t forget that less really is more in situations like this. Using fewer extensions reduces your risk of running into a malicious one.

    See if there is a desktop app or terminal command that can perform the same functions as the extension you are considering. Some of the most popular extensions eventually get built into browsers as default features too, so wait a little while and see where things stand.

  • Get Rid of Inactive Extensions

    In a similar note to accepting that less is more, you should remove browser extensions you don’t use anymore. Each extension you uninstall is one less security risk on your computer. It helps to clean up your extensions once a month or so. Browser extensions are as easy to uninstall as they are to install, meaning that anyone can do this.

Web browser add-ons raise any suspicions rarely, as this is a piece of software most of us have never had issues with. However, thanks to the LNKR malware, we can see that cyber crooks can weaponize Web browser extensions and use them for their harmful goals easily. This is why you need to be very careful when installing software on your PC, even if it is hosted on a legitimate and reputable platform like the Google App Store. Furthermore, do not forget to protect your system with a genuine anti-virus software suite that will not allow threats like the LNKR malware anywhere near your computer.