threat
SmashJacker
Often delivered via Charcoal Stork, SmashJacker is not the most evil browser-hijacker, but it is one of the most widespread.
Pairs with this song #10
OVERALL RANK
2.7%
CUSTOMERS AFFECTED
Threat Sounds
SomeBODY once told us our browser was gonna roll us, unless we adopt better allowlist policies.
Analysis
SmashJacker is a browser search engine hijacker first documented by ConnectWise in June 2023. Distributed through sites advertising “the download of wallpapers, software, games, and movies,” often via a pay-per-installer that Red Canary tracks as Charcoal Stork, SmashJacker installs a browser extension designed to redirect search engine queries and serve additional advertisements that provide income for adversaries. ConnectWise hypothesized that SmashJacker may be related to ChromeLoader based on their similar distribution schemes, but more evidence is needed to solidify the link. In Red Canary’s own observations, we note that SmashJacker and ChromeLoader are often distributed through similar channels and have similar goals of monetizing content via installer files posing as media content.
Browser troubles
During execution, some versions of SmashJacker persist using AppInit DLLs, while others use Windows scheduled tasks. All of the variants Red Canary observed distributed a browser extension for Microsoft Edge and Google Chrome designed to redirect any search queries for common search engines. When performing queries to Google, Yahoo, and others, the browser extension rewrote the submitted query URL, directing the search through an adversary-controlled site such as searchesmia[.]com designed to monetize the search traffic. During the installation process, SmashJacker and similar threats have effectively manipulated Google Chrome’s and Microsoft Edge’s ExtensionInstallAllowList and ExtensionInstallForceList to install browser extensions with minimal interaction from a victim.
SmashJacker is an opportunistic threat, affecting a variety of organizations due to its wide distribution driven by SEO manipulation. While its behavior is not as severe as that of other malware families, a successful SmashJacker attack can be a symptom of larger IT hygiene issues within an organization, such as overly permissive application allowlisting and a lack of policy-based controls on web browsers.
Take action
The best way to mitigate and respond against threats like SmashJacker is to embrace practices leading to better IT hygiene. You can prevent unauthorized installer execution using application allowlisting technologies such as AppLocker. In addition, Group Policy Objects for Microsoft Edge and Google Chrome can allow administrators to allowlist browser extensions by policy, overwriting or disabling new extensions a user attempts to install. Complete remediation for threats like SmashJacker should include removing persistence mechanisms, browser extension files, and registry keys that specifically allow and force the installation of the malicious extension.
Detection opportunities
AppInit DLL Installation
One persistence mechanism used by some variations of SmashJacker was an AppInit DLL. It would use a reg.exe command to create appropriate Windows Registry keys for persistence.
process == ('reg.exe')
&&
command_includes ('add' && 'AppInit_DLLs')Web browser loading extension
During execution, SmashJacker forced Google Chrome or Microsoft Edge to open with the command line argument --load-extension so a browser extension can install without user interaction. This analytic will likely uncover additional adware in an environment and may need tuning to take account for acceptable software installation.
process == ('chrome.exe' || 'msedge.exe')
&&
command_includes (`--load-extension')
Testing
Start testing your defenses against SmashJacker using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
The following test is mapped to T1176: Browser Extensions, and emulates a threat using the --load-extension command to install a malicious browser extension.
Run this test on a Windows system using an elevated PowerShell prompt:
# Chromium
$chromium = "https://commondatastorage.googleapis.com/chromium-browser-snapshots/Win_x64/1153778/chrome-win.zip"
# uBlock Origin Lite to test side-loading
$extension = "https://github.com/gorhill/uBlock/releases/download/uBOLite_0.1.23.6055/uBOLite_0.1.23.6055.chromium.mv3.zip"
Set-Location "$env:TEMP"
Set-Variable ProgressPreference SilentlyContinue
Invoke-WebRequest -URI $chromium -OutFile "$env:TEMP\chrome.zip"
Invoke-WebRequest -URI $extension -OutFile "$env:TEMP\extension.zip"
Expand-Archive chrome.zip -DestinationPath "$env:TEMP" -Force
Expand-Archive extension.zip -Force
Start-Process .\chrome-win\chrome.exe --load-extension="$env:TEMP\extension\" -PassThruReview and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.