Check. Connect. Repeat.

Fake Evernote Extension Serves Advertisements

Recently a Malwarebytes researcher informed me of a Multiplug PUP that installs a fake Evernote browser extension. Fellow researchers can find the link to this sample on VirusTotal here.

A quick look shows the PUP is digitally signed by “Open Source Developer, Sergei Ivanovich Drozdov”, although the certificate has since been revoked by the issuer. This serves as another reminder that you can’t always trust a program just because it’s digitally signed.

cert_info

When you execute the PUP, it silently installs a web extension for the Google Chrome, Torch, and Comodo Dragon browsers. The extension takes the form of three obfuscated JavaScript files and one HTML file. The picture shows these files installed in Chrome’s extension directory on a Windows 7 PC.

chrome_ext_files

For Google Chrome, the installation of the web extension is achieved by updating the “Preferences” file, which is a json-formatted file used to configure Chrome user preferences. The extension that’s installed is called “Evernote Web,” just like the real extension from Evernote.com.

When taking a look at the Chrome extensions page, we can see the extension installed there with the ID “lbfehkoinhhcknnbdgnnmjhiladcgbol,” just like the real Evernote Web extension.

evernote

Clicking “Visit website” directs the user to the chrome webstore page for the actual Evernote Web extension. Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote log in screen.

fake_evernote_chrome_store

The extension uses a content script to run in the context of the web pages a user browses. The content script is guaranteed to be loaded into every web page using the extension manifest (manifest.json).   When visiting webpages, you’ll get a series of annoying advertisements, all leading to potentially more unwanted programs and offers.

Here is a comparison of visiting newegg.com with and without the fake Evernote extension.

newegg_noads

newegg_ads
Here is another example of advertisements when visiting a page on the John Deere website:

tiptopsoft

On the surface, it may seem like the pop ups and advertisements are coming from the websites themselves, but are in fact from the fake Evernote web extension.

Fortunately, removing the extension is a simple task. For Chrome users, simply visit the extensions page and click the picture of a garbage can, and you’re done. You also might want to run a free scan using your Antivirus or Anti-malware programs (like Malwarebytes Anti-Malware) to make sure there wasn’t anything else added while you had the extension.

@joshcannell  

ABOUT THE AUTHOR

Joshua Cannell

Malware Intelligence Analyst

Gathers threat intelligence and reverse engineers malware like a boss.