Cacheflow webtimer download

We believe they were not satisfied with the previous check and decided to further profile the victim in order to avoid infecting users who seemed more tech-savvy. One of the ways they did this was by enumerating the other extensions installed by the victim and checking them against a hardcoded list of extension IDs.

Another way to profile the potential victim was to check the URLs they were browsing. This way, it would know that somebody was taking a deeper look into the extension and could take actions to hide itself.

Interestingly, the domains were not fully specified in the regular expressions, with some characters being represented as the dot special character. We assume that this was an attempt to make it harder to create a domain blocklist based on the regular expression. At this point, the malware also attempted to gather information about the victim.

This information included birth dates, email addresses, geolocation, and device activity. Once again, the attackers focused only on Google: we did not see any similar attempts to get Microsoft account information. This permission gives the extension access to all hosts, so it can make arbitrary cross-site requests. In order to make it harder for Google to realize that CacheFlow was abusing its services to gather personal information, it also registered a special chrome.

This listener removes the referer request header from all the relevant XHR requests, so Google would not easily know who is actually making the request. Finally, to perform its main malicious functionality, the payload injects another piece of JavaScript into each tab using the chrome. The injected script implements two pieces of functionality. The first one is about hijacking clicks. When the victim clicks on a link, the extension sends information about the click to orgun.

The second functionality concerns search engine results. When the victim is on a search engine page, the extension gathers the search query and results. The link hijacking is implemented by registering an onclick listener over the whole document. This request contains one GET parameter, a , which holds concatenated information about the click and is encrypted using the custom strsstr function. This information includes the current location, the target URL, various identifiers, and more.

Upon receiving such a response, the malware first makes sure that it starts with a certain randomly generated string and ends with the same string, but in reverse. This string ayiudvh3jk6l highlighted in the example above was generated by the extension and was also included in the a parameter that was sent in the XHR request.

The extension then takes the middle portion of the response and decrypts it using the strrevsstr function which is the inversion of strsstr. This yields the following string:. Once again, the malware checks the beginning and the end of the decrypted string for the same randomly generated string as used before and extracts the middle portion of it.

If it begins with the substring http , the malware proceeds to perform the link hijack. It does this by temporarily changing the href attribute of the element that the user clicked on and executing the click method on it to simulate a mouse click.

As a fallback mechanism, the malware just simply sets window. The second functionality is performed only if the victim is currently on a Google, Bing, or Yahoo search page. If they are, the malware first gathers the search query string and the results. The way this is performed varies based on the search engine. For Google, the search query string is found as the value of the first element named q.

If that somehow fails, the malware alternatively tries to get the search query from the q GET parameter. The search results on Google are obtained by searching for elements with the class name rc and then iterating over their child a elements.

Once gathered, the search query and results are sent in an XHR request to servscrpt[. A salted MD5 checksum of the results is included in the request as well, we believe in an attempt to discover fake requests but this check can obviously be trivially bypassed by recomputing the MD5 checksum.

The XHR response contains a list of domains whose links the malware should hijack. The hijack itself is performed by registering an onmousedown listener on the a element. Once fired, the listener calls the preventDefault function on the event and then window. Interestingly, CacheFlow also modifies some of the hijacked search results by adding a clickable logo to them. We believe this is done in order to make those results stand out and thus increase the chances of the victim clicking on them.

However, the position of the logo is not aligned well, which makes the search result look odd and suspicious, since Google, Microsoft, or Yahoo would probably put a bit more effort into formatting it.

The logo is added by creating a brand new div element which holds an img element. Once created and formatted, this element is inserted into the DOM, so that it appears to the left of the original search result.

The logo is obtained from the serviceimg[. Internet Download Manager. Advanced SystemCare Free. VLC Media Player. MacX YouTube Downloader. Microsoft Office YTD Video Downloader. Adobe Photoshop CC. VirtualDJ Avast Free Security. WhatsApp Messenger. Talking Tom Cat. Clash of Clans. Subway Surfers. TubeMate 3. Google Play. Biden to send military medical teams to help hospitals.

N95, KN95, KF94 masks. GameStop PS5 in-store restock. Baby Shark reaches 10 billion YouTube views. Microsoft is done with Xbox One. Windows Windows. Most Popular. New Releases. Desktop Enhancements. Networking Software. Trending from CNET. WebTime Free. Keep your PC clock accurate with a time synchronizer. App fr webTime, det toppmoderna tidrapporterings systemet! Manpower WebTime Free. Manpower WebTime is Manpower Switzerland's online solution for transmitting your hours worked and expenses: Input and transmission all in one!