Two weeks ago I published an article on 63 malicious Chrome extensions. In most cases I could only identify the extensions as malicious. With large parts of their logic being downloaded from some web servers, it wasn’t possible to analyze their functionality in detail. However, for the Download Manager Integration Checklist extension I have all parts of the puzzle now. This article is a technical discussion of its functionality that somebody tried very hard to hide. I was also able to identify a number of related extensions that were missing from my previous article.

Contents

The problematic extensions
“Remote configuration” functionality
The code being executed
The “session” handling
Who is behind these extensions?

The problematic extensions Since my previous article I found a bunch more extensions with malicious functionality that is almost identical to Download Manager Integration Checklist. The extension Auto Resolution Quality for YouTube™ does not seem to be malicious (yet?) but shares many remarkable oddities with the other extensions.

      Name
      Weekly active users
      Extension ID
      Featured
  


  
      Freemybrowser
      10,000
      bibmocmlcdhadgblaekimealfcnafgfn
      ✓
  
  
      AutoHD for Twitch™
      195
      didbenpmfaidkhohcliedfmgbepkakam
      
  
  
      Free simple Adult Blocker with[...]