Harrison Grant

LNKR Malware

Background

Since beginning data collection in July, this research project has been interested in the types of undesired third-party code that attempt to interact with the Duke-modeled synthetic profiles. One type of undesired third-party code is delivered through browser add-ons and plug-ins. These add-ons and plug-ins are commonly referred to as browser extensions, and internet users download extensions to personalize and improve browsing experiences. Still, this research project has found that browser extensions are a key delivery mechanism for undesired third-party code. To date, the synthetic profiles have recorded over 3,000 attempts by browser extensions to deliver undesired third-party code onto users’ browsers, where almost 1,800 of those attempts came from October and January alone. Sometimes, the undesired code in these extensions causes different ads to render on certain webpages. In other instances, the code exfiltrates data from the user’s browser that can be used for microtargeting. LNKR, the subject of this article, has all of these malicious capabilities and more.

What it is

LNKR is a type of malware that hides in Chrome browser extensions. These malicious extensions can perform a number of actions by injecting Javascript code onto the webpages that users visit. Those actions include targeting and tracking web users to show specific content, steal information about user browsing habits, monetize user activity with ad fraud campaigns, and redirect users to other malicious content. LNKR can also inject malicious code into webpages where the infected user has write-access. In doing so, LNKR can load other forms of malware onto that webpage and attack other internet users from that domain. User in most situations do not know that the installed extensions are malicious, or that they are altering the browsing experience. This makes LNKR particularly dangerous.

How it works

Because LNKR hides inside a browser plug-in, it can detect user behavior by looking at their web search behavior. The code of the malware is designed to tailor actions based on which webpages the user is visiting. In this way, LNKR campaigns are able to deliver effective attacks across multiple domains. The process occurs in 3 stages: Initiation, Tailoring, and Delivery.

The initiation phase begins once a user installs a malicious browser extension and visits a webpage. On that webpage, LNKR injects a script tag. Script tags are used to embed external lines of code onto webpages. In LNKR’s case, these lines of code contain the malware’s payload. At the same time, LNKR sends a tracking GIF to the command-and-control server (C2), which will allow the server to be notified with progress updates from the malware’s attack, such as when LNKR encounters unattackable hostnames or begins executing its payload (both described below). In sum, the initiation phase’s purpose is to insert the malware into the browser, and then begin executing the payload and establish a communication channel to track progress.

In the tailoring phase, the malware collects information about the nature of the webpage that it is manipulating. This information is communicated through the tracking GIF back to the C2 server using a format called a ‘rid’ value. The reason why this information is important is because LNKR can only work in certain environments. Depending upon the result of this environmental scan, the malware takes one of two tracks: abort its mission, or deliver its payload. If the ‘rid’ value returned to the C2 server is URL_BLACKLISTED, URL_STATICFILE, or URL_IGNOREDOMAIN, that means that LNKR cannot attack the webpage that the user is visiting. If the user is on such a webpage, the malware will take the first track and abort its mission.

If the webpage is attackable, LNKR will take the second track. This includes categorizing the webpage by hostname. The hostname is the section of the webpage’s URL that specifies how the webpage is being housed. For example, the hostname of a sample URL like host1.examplesite.com is ‘host1.’ For each hostname, the malware has a certain kind of attack. LNKR uses individual JavaScript Object Notation (JSON) [1]  objects embedded in its code that will only execute when a particular hostname is recognized. Think of the JSON objects as the malware’s payload. Once LNKR recognizes a hostname, the attack moves from tailoring to delivery by delivering a JSON object.

LNKR delivers its payload by injecting the viewed webpage with a particular JSON object. For example, if the hostname of the domain is ok.ru, which is a Russian social media site, LNKR will unembed a specific JSON object from the original script tag through a process called parsing. The JSON object that is designed for the ok.ru hostname injects a custom ad, script, or tag onto the webpage. However, if the user is on an Amazon or search engine domain, like Google, the JSON object that LNKR parses is not designed to load a custom ad. Instead, the JSON object exfiltrates the search parameters from Google searches and the search results from Amazon. It sends this information back to C2 using another tracking GIF. 

LNKR also has JSON objects designed for Facebook. If a user is visiting a Facebook webpage, the malware will load a custom ad or script, but it will also load a page called fun8times. This page is loaded in the background, not visible to the user, where the malware clicks the like button. This serves two purposes – to track the number of Facebook users that have been infected with LNKR, and to falsely inflate the number of likes that the fun8times page receives. The designers of LNKR can make money based on the likes that the fun8times page receives.

Besides custom ad rendering and impression stuffing, LKNR also can redirect to other malicious content. This occurs if the user is visiting a webpage where the domain contains youradexchange.com. LNKR will parse a JSON object that redirects the user to a different page. The same goes for any domain that contains some iteration of booking.com – the malware will redirect to another URL if the user is visiting such a domain. These redirects can expose users to other kinds of malicious content and create more risk.

In the event that the user is not being hosted by any of the above domains, LNKR has a mechanism to identify the user and inject its malicious code. The process includes a series of communications between the malware and the C2 server where a userID is determined. Once the C2 server has determined the userID, the appropriate JSON object is parsed and delivers the payload to whichever webpage the user is visiting. The payload is another custom ad, script, or tag.

Risks and Implications

The LNKR malware uses different channels to create multiple risks for internet users. Because LNKR hides in malicious browser extensions, it is easy for lots of individuals to become infected. Browser extensions have become quite popular recently and users do not always verify the quality of the extensions that they install and use. Therefore, even if users begin detecting malicious activity during their browser experiences, they may not consider their extensions as a culprit.

In addition to ease of access, LNKR can infect webpages for which the user has write-access. Then, the malware can stage more attacks from that webpage, infecting more users’ browsers when those users visit the infected site. This self-propagation causes LNKR to spread quickly.

With these features, LNKR is an easily concealed and highly infectious strain of malware. Once installed on a browser, LNKR’s primary objectives include monetization and data exfiltration. LNKR is a powerful tool for impression stuffing, which allows threat actors to illegally monetize user ad viewership. Using the malware, threat actors can overlay custom ads on webpages on top of the legitimate ad content on the page. From there, the malware can trigger lots of clicks for that ad, creating revenue. This is what happens in the Facebook case. For popular search engines, LNKR steals information from web searches through Amazon, Google, or other browsers. Combined with other personal data, this information could be used for user profiling to fuel phishing attacks, microtargeting, or device fingerprinting.


[1]  JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. www.JSON.org