Nenhancer Chrome Extension Is Malware - Beware!

Hey Tim and folks,

Want to bring this to your attention as I have been using this (as have many and many blogs recommending) for years. The nEnhancer (NETFLIX Enhancer) Chrome extension.

Well, back in April, this Russian author (you can research this through the reviews in the Chrome web store etc.) released a new version with new elevated permissions. As this is become unfortunately commonplace these days unfortunately, I, like everyone else, reluctantly clicked "accept" because it was that or stop using this awesome extension I loved. That was APRIL.

Fast forward to August 14th. My Chrome processes are spiking, and suddenly all requests go dead and stop at: http://crvtck.com/get?key=XXXX&uid=XXXX&format=go&ref=XXXX&out=WHERE-I-TYPED-TO-GO. Hmm. WTF. I run enterprise virusscan, spybot, etc. I've got almost 30 years in this business and MY browser doesn't get hijacked. WTF is going on here?

So, almost six hours go by going one by one through every Chrome extension, through source code. Sh1t, I run a lot of these, do I need them all? Sh1t, I guess I do. Nothing glaring. Do I REALLY need to start trying to eyeball and trace myself through compressed, obfuscated javascript that has become so commonplace by these extension developers to avoid code theft? Sh1t, affirmative.

Another eight hours and far too much coffee (and this is in between being single dad of 2 little ones so it's at night as they sleep). Jesus, this has to be wrong. I don't want to say I found it - I must just be tired. It cannot be a g0ddam NETFLIX pretty-upper extension hijacking me, can it? Wow. This is why it took 20 hours to find - cause it was the last one I literally looked at and thought it could be.

So, on about the 20th verification, I open up my snagit and begin recording live video. I have not yet overlaid any audio as I'm currently still asleep but will get to it - someday soon. I did open up notepad to narrate as I try to display what it's doing, but the video only captures part of the malicous, damage causing behavior exhibited by this previously trusted extension.

Here's what I have dissected so far with 100% certainty - in April, this Russian developer posted a new codebase and forced elevated permissions from only netflix (and omdb) to ALL sites and as they now have added (try to cover up) text of a forthcoming (awesome new feature that somehow shows movie rating while I'm on my banking site), also very nicely walks their users through manually taking further action to give their extension hidden pane permission that by default, no extension has. That new code, has (and is) doing the following on every user's system that still has it active:

1. Upon opening Chrome, download 3 lists of URLs. A "blacklist" (purpose still unknown until I further dissect the code), the "search/stats URLs" (same), and most importantly a list of tens of thousands of paid affiliate URLs (purpose forthcoming but you can start throwing your pencil right about now).
2. Begins a very sophisticated randomizing (think independence day) timeout countdown to avoid detection (and highly obfuscated beginning at the rabbit hole on about LINE 6 in BG.JS on YOUR hard drive if you're using the extension).
3. Begin in a very sophisticated fashion, redirecting all of my web requests through their new domain, crvtck.com and apparently falls back to srvtrck.com. It also (I am not done analyzing so can only speak to the end effects at the moment) may actually be packaging up via base64 data of the requests and actually POSTING it, but I need further confirmation and help dissecting this obfuscated code. Bad, bad stuff happening here and I pray it only tracked URLs I typed and did not acquire or access any other secure sites such as banking. I can confirm though that due to their server having issues on 8/14 is the only reason I even became privy to any of this. Again - very sophisticated.
4. Upon the doomsday countdown, here comes the real reason the author has everyone granting that extra permission for hidden panels......opens up hidden panels in shadow session of you, the user, all while your browser is open an you're working on other things, and begins performing HTTP GETs for all of the tens of thousands of paid affiliate URLs - but appears to again do it in a very sophisticated manner throttling to avoid detection (it was successful on me for many months).

A couple big notes here. As Google IS actually allowing some affiliate crap with extension developers, as far as I can tell this is different in a couple major ways:

1. Permissions - I granted permission to all the sites I VISIT, not 100,000 new ones including sexual related sites (see my video) that I have NOT and NEVER WILL visit. Also, this developer is asking for permissions above and beyond normal extension permissions.
2. Hijacking - clearly, this extension is performing traffic (and possibly data) theft and hijacking which as far as I know, is illegal in this country. Unfortunately for us, it appears this developer may not even be based in the USA but Google needs to get their DEV and security teams on this and take action immediately especially if there is any possibility of data theft. Of what I already have captured and decoded, it actually appears to be pretty darn close to exactly what I found well documented in this security blog article:
   
   https://blog.perimeterx.com/hijacking-users-affiliate-fraud/
   
   
3. This malicous code I have analyzed in the extension, I did find posted in a single location worldwide, with sections line for line are identical (minus variable renaming) to what I find in the BG.JS (background javascript) for this extension (search for "page_visible:2" and start comparing code. Anyway, this pastebin, coincidentally, was posted in April just before it appeared in this latest version and of all things, is titled (you won't friggin believe it) "Redirect Malware Extension". It is located at: http://pastebin.com/nF6R9FCU and again I found this by searching for bits of this extensions new malicious code.
4. The domain stealing my every web request and putting it into a database (and hopefully not my data), was coincidentally brand new and registered in mid April, very close to the time that the main nenhancer.com was renewed, and within a short time of this new code release and the above pastebin. It is of course an anonymous registrar so I cannot absolutely confirm at this time and purely speculation. However, this all really does not help make the case for this developer that somehow, this is all just to allow my banking site to drop security and somehow show me a movie rating as I bank. Sorry, I'm a bit punchy when I'm asleep.

So, I've followed you and this site for many years and know how you like to tear apart this nasty garbage, and also like to get the word out to your viewers once you yourself confirm malicious sh1t like this, so hopefully it helps.

I have contacted Google and really appreciate help to further tear into this obfuscated code and also for others to reach out to Google if, after yourself looking at it, agree that this needs to be taken down immediately for the public's sake.

Here's my initial video capturing the activity with Fiddler and showing the code (which begins on line 5 of BG.JS for extension ( ijanohecbcpdgnpiabdfehfjgcapepbm - current version 3.5.4_0 ) and then follow the rabbit hole):



@CollinChaffin