Visiting the Evernote plugin page, Chrome does not recognize that it is third-party malware and believes that it is the officially installed extension.
Posing as a real and user-installed add-on, malware hides itself within a Chrome extension that poses as the popular note-taking app Evernote. Unfortunately for the victims, it is far from being a legitimate extension. Security firm Malwarebytes reports that the extension is actually malware-- an executable titled evernote.exe-- that the victim would have had to have accidently opened. After it has been executed, the malware installs a fake Evernote extension into Chrome which then begins serving the victim ads on all the webpages they visit.
It isn't just a matter of an extension appearing to look like another-- Chrome actually believes that the plug-in is the legitimate Evernote extension. By clicking "visit website," the user is taken to the official Evernote webpage. There, it does not ask the user to install the app-- again, it believes that the app is already installed, and instead offers the option to launch it.
On the outset, the way the ads are positioned it makes it seem like the ads are coming from the websites themselves, which makes it more difficult for the victim to identify that they have been infected with the adware. This sort of malware also goes to show that users shouldn't trust digitally signed files solely because they're digitally signed-- it doesn't make them anymore legitimate than any other executable:
"A quick look shows the PUP is digitally signed by “Open Source Developer, Sergei Ivanovich Drozdov”, although the certificate has since been revoked by the issuer. This serves as another reminder that you can’t always trust a program just because it’s digitally signed" - Joshua Cannell, security researcher at Malwarebytes
The Chrome extensions window shows that the malware looks and acts (at least on the base level) like any normal extension.
Fortunately, as Malwarebytes reports, the removal of the extension isn't a complicated matter-- it is born like an extension, and it dies like one. All a user would have to do to remove it is to visit the Chrome extensions page (type about:extensions in the omnibar) and click on the garbage can icon next to the Evernote extension. The user would then have to confirm the removal, and once confirmed, Chrome would do the rest.
Source: Malwarebytes via The Inquirer | Images via Malwarebytes
5 Comments - Add comment