Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024
  • Security & Privacy News

    Backdoored Chrome extension installed by 200,000 Roblox players

    alf9872000

    By alf9872000,
    Published Date:

    • 277 views
    • 4 minutes
     Share
    • 277 views
    • 4 minutes

    Chrome browser extension 'SearchBlox' installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform.

     

    BleepingComputer has been able to analyze the extension code which indicates the presence of a backdoor, introduced either intentionally by its developer or after a compromise.

    Chrome extension targets Roblox players

    The 'SearchBlox' extensions found on the Chrome Web Store appear to be compromised, BleepingCompuer has observed.

     

    There are two search results for 'SearchBlox' on Chrome. These extensions claim to let you "search Roblox servers for a desired player... blazingly fast" but both contained the backdoor.

     

    The IDs of these unsafe extensions are:

    • blddohgncmehcepnokognejaaahehncd
    • ccjalhebkdogpobnbdhfpincfeohonni

     

    searchblox-results.jpeg

    Malicious SearchBlox extension on Chrome (BleepingComputer)

     

    Early morning hours of Wednesday, suspicions arose among the Roblox community members of SearchBlox containing malware.

     

    "Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - if you have it, your account may be at risk," tweeted RTC, an unofficial Roblox news and community account.

     

    "Please change your passwords if you have it - and credentials, so that way your account is secure again."

     

    We downloaded the Chrome extension for analysis and for the first extension (blddohgncmehcepnokognejaaahehncd) downloaded by over 200,000 users, the backdoor exists on line 3 of the 'content.js' file:

     

    searchblox-backdoor.jpg

    Backdoor within Chrome extension 'SearchBlox' (BleepingComputer)

     

    For the second extension (ccjalhebkdogpobnbdhfpincfeohonni) with just 959 downloads, the backdoor resided within the 'button.js' file.

     

    The offending URL in either case is:

    hxxps://searchblox[.]site/image.png/image.txt
     

    As if the URL structure 'image.png/image.txt' itself wasn't already interesting, the page contains HTML code that pretends to display an image using the '<img>' tag, but instead loads obfuscated JavaScript that is further encoded as HTML character entities (using the '&' and '#' symbols):

     

    obfuscated-js-encoded.jpg

    Page pretends to contain HTML attempting to display an image (BleepingComputer) 

     

    The code when decoded yields obfuscated code which further appears to be exfiltrating Roblox credentials to another domain: releasethen.site.

     

    deobfuscated-code.jpg

    Another suspicious domain in use by the extension (BleepingComputer)

     

    Of note is the fact that both 'searchblox.site' and 'releasethen.site' were registered this month and share a common web host, Hostinger.

     

    The code also appears to survey a player's profile on Rolimons.com, a Roblox trading platform. This detail becomes relevant given today's account suspensions on the platform, as explained in the following section.

    'SearchBlox' a repeat offender

    Unfortunately, it doesn't seem like the first time a malicious 'SearchBlox' extension has targeted Roblox users either.

     

    In October, Google reportedly took down another 'SearchBlox' sitting on the Chrome Web Store since at least Jun 28th, 2022.

     

    As to whether the backdoor was injected in the extension after compromise by a threat actor or introduced intentionally by the developer is something that's yet to be authoritatively determined.

     

    There is some speculation among Roblox community members [1234] who have noticed the inventory of user 'Unstoppablelucent', purportedly the extension's developer, multiply overnight whereas Rolimons user 'ccfont' has been terminated today over suspicious inventory trades.

     

     

    Both the extension as well as the offending URLs have a clean VirusTotal reputation at the time of writing, making detection of these malicious extensions a whole lot harder.

     

    Suffice to say, anyone who has installed 'SearchBlox' should remove the extension immediately, clear their cookies and change their passwords for Roblox, Rolimons, and other websites they may have logged into while the extension was in use.

     

    BleepingComputer notified Google of the malicious extensions prior to publishing. A Google spokesperson later confirmed that these extensions were taken down and will automatically be removed from systems where these were installed.

     

    "The identified malicious extensions are no longer available on the Chrome Web Store," Google told BleepingComputer.

     

    "The extensions are blocklisted and will be automatically removed from any user machine that previously downloaded them."

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...