Detects the Cursed Chrome
extension. Starts by searching for permissive extensions configured within Secure Preferences. Locates the path of the extensions and scans using Yara.
name: Detection.Application.CursedChrome
author: Matt Dri - @mattdri-ir
description: |
Detects the [Cursed Chrome](https://github.com/mandatoryprogrammer/CursedChrome) extension. Starts by searching for permissive extensions configured within `Secure Preferences`. Locates the path of the extensions and scans using Yara.
type: CLIENT
sources:
- precondition:
SELECT OS From info() where OS = 'windows' OR OS = 'darwin'
query: |
LET yaraScan = '''
rule cursed_chrome
{
strings:
$s0 = "new WebSocket(\"ws://"
$s1 = "new WebSocket(\"wss://"
$s2 = "[1e7]+-1e3+-4e3+-8e3+-1e11"
condition:
($s0 or $s1) and $s2
}
'''
LET ext = SELECT parse_json(data=read_file(filename=FullPath)).extensions.settings AS ext
FROM glob(
globs=['''*:\Users\*\AppData\Local\Google\Chrome\User Data\*\Secure Preferences''', '''/Users/*/Library/Application Support/Google/Chrome/*/Secure Preferences'''])
LET ext_of_interest = SELECT _value.path AS path
FROM flatten(
query={
SELECT _value
FROM foreach(
row={
SELECT items(item=ext) AS config
FROM ext
},
column=["config"])
})
WHERE _value.granted_permissions.api =~ "webRequest"
and (_value.granted_permissions.explicit_host =~ "<all_urls>" or _value.granted_permissions.explicit_host =~ "https://*/*")
SELECT *
FROM foreach(
row={
SELECT FullPath
FROM foreach(
row={
SELECT path
FROM ext_of_interest
},
query={
SELECT *
FROM glob(root=path,
globs="**")
WHERE NOT IsDir
})
},
query={
SELECT *
FROM yara(files=FullPath,
rules=yaraScan)
})