LilyJade Version 2.0: a Malicious Browser Extension

In order to gain popularity and usability, web browsers offer extra features. Chief among these are browser plug-ins, which can help to attract a greater audience.

These extensions are used by a browser to extend its functionality. Almost all popular browsers support these extensions, which have become one of the most commonly used malware attack vectors. Malware authors have long chosen social networking sites as their favorite breeding ground. A current threat to Facebook users is the LilyJade 2.0 “extension.”

So it begins

Fake YouTube Website

A fake YouTube site.

We came across a scam that tricks users into installing a fake video codec extension to view a video. When users install these kinds of malicious extensions, their systems will become vulnerable to attacks. After infection when the browser is opened, this extension downloads malicious JavaScripts from a remote server to perform malicious activities.

Downloaded Malicious Scripts

Downloaded malicious scripts.

These malicious extensions send the information to the malware author, including IP address, country, and OS. The malware also reports whether the user is online and the websites viewed.

C&C Server

The malware control server.

The preceding statistics show about 7,837 compromised unique IPs and that about 176 users were online.

The other fields present in the control server:

  • IP: Address of the compromised browser
  • Country: Location of the compromised browser
  • OS: Operating system installed
  • URL: The web page currently viewed in the compromised browser
  • Status: Whether the compromised browser is available

Generating revenue

The malware shows an advertisement copied from one of several websites (Yahoo, YouTube, Bing, AOL, Google, and Facebook) and replaces it with its own advertisement. The Google AdSense ID (in this case “ca-pub-33xx398xxxx84xx1”) is unique for each AdSense user. Replacing the advertisement with a unique AdSense ID will generate more income to the attacker’s account.

Function to Replace Ads

The function for replacing ads.

Apart from these leading domains, the malware can also replace advertisements from other websites. The malicious script will check whether the user is viewing pages contain pornography by comparing the keywords listed in the next screen. If the malware finds a match, it will not replace any ads on that page because displaying porn ads or hacking websites using AdSense will lead to an account ban.

Checking Whether The Website Has Porn Content

Checking whether the website has porn content.

Selling “likes”

Cybercriminals have a service for selling likes in Facebook. They target mainly small companies, games, or any application that needs more visibility and fans in Facebook. This malicious script also promotes some Facebook pages.

Promoting the Pages in Facebook    Promoting the Pages in Facebook

Promoting Facebook pages.

The preceding page belongs to an affiliate that spread this malicious extension. It has received more than 5,000 likes in the last three weeks–that’s a long time for malware like this to remain online.

Spreading in the wild

This version of LilyJade spreads through Facebook and Twitter by posting scam messages from the compromised account. The following code clearly shows its propagation technique.

Propagation Through Scams

Propagating through scams.

This version of LilyJade runs only on Firefox, Chrome, and Safari browsers. Our analysis is based on the Firefox extension, which is not a part of the cross-rider framework.

Facebook partnered with McAfee to detect these types of malicious extensions. If any Facebook users suspect that they are infected, then they can check and clean their systems with McAfee Scan and Repair.


Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Security News

Back to top