Malware?

[alesim21]

I just got the message from chrome that the extension contains malware, can you tell me if it is actually not safe?

[pcislocked]

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious.

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . .

EDIT 2: I've rebooted and it appears TGS is gone . . .

EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

That's really worrying. We're sure that this extension is malicious but I'm not sure if it could go THAT far. I think you should investigate this further if you could though since a few weeks have passed since the incident.

[pressRtowin]

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such.

I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it.

One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . .

Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious.

EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google.

Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . .

EDIT 2: I've rebooted and it appears TGS is gone . . .

EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

This will not be possible without someone having a chrome 0day to be able to do full rce and download an application and escalate and run it. They could have tamped with an exe you download and add the malicious TeamViewer to it though.

The only reason I even began to suspect a connection was because of that article I linked to and some other sources stating that it could run "almost any kind of code". The thing is, if I remember correctly, I didn't download any executables near the time they gained Teamviewer access, although I did download some games from steam. However, towards the end of my investigation, I began to suspect that the initial breach happened a few days earlier, as I found some logs in event viewer that showed some unusual changes to my firewall as well as windows security history being wiped. I'm going to go take a look at my downloads directory now to see if I had downloaded anything in that extended time frame.

I know this is getting a little off topic but if anyone is curious and wants to know more about what happened, I do have a much more detailed timeline of events, as well as backups of the executables, logs from Teamviewer, and some other things I can provide. I definitely wouldn't mind an extra set of eyes, as I'm still a bit uneasy not knowing exactly what happened.

[pressRtowin]

I had a huge security breach a few weeks ago. I wonder if this extension was involved somehow. I don't know all the details but somehow a copy of Teamviewer was loaded into my %temp% directory and launched from there. The malicious party had access to my system for about 1 hr before I returned to see what was going on and put a stop to it. As far as I can tell, none of the things they did during that hour were "smart" things that could have seriously compromised my security (network, certificates, installing any (additional) malware, etc.) instead, they spent the whole time copying and pasting passwords and credit cards from my Lastpass session (which I stupidly left logged in) onto retail sites to try to purchase google play gift cards and such. I've managed to mitigate all the damage that was done (changed all my compromised passwords (they left all the lastpass tabs open so I could see which ones were accessed), got all my credit cards reissued, etc.), and most of my super important accounts were protected by 2FA anyway, but despite all the digging around I did in my system before finally wiping it, I could never figure out how exactly they compromised my system in the first place to load Teamviewer onto it. One interesting thing to note is that one of the first things they did was remove 3 chrome extensions: Nimbus Screenshot, uBlock Origin, and The Great Suspender . . . Originally I didn't suspect TGS, but after the news just came out about Google actively removing it for containing malware (This article even suggests "The Great Suspender added an exploit that could be used to run almost any kind of code on your computer without your knowledge"), I immediately became suspicious. EDIT: So I came back here to write this comment after seeing that TGS was removed from my browser again, which freaked me out for a bit cuz that was one of the things that happened when I was last compromised as I explained above, until I saw the news that TGS was being removed from everyone's browsers by Google. Interestingly enough, I just rebooted my computer, and when I launched Chrome, TGS was back. Not sure if this is just google's sync being weird or what, but I just manually removed it, and I'm about to reboot again to see if it's gone for good now . . . EDIT 2: I've rebooted and it appears TGS is gone . . . EDIT 3: I highly suggest anyone who's had TGS search their %temp% for a Teamviewer directory. I also had two executables in %temp% directly that appeared to be Teamviewer installers. They had the TV icon but the two executables were named short, seemingly random strings of characters.

This will not be possible without someone having a chrome 0day to be able to do full rce and download an application and escalate and run it. They could have tamped with an exe you download and add the malicious TeamViewer to it though.

Sorry, did you say 0day? https://www.androidpolice.com/2021/02/05/google-patched-a-major-zero-day-vulnerability-in-chrome-update-now/?fbclid=IwAR2GUg0qgcwnQXWEZ4u0eW_yvyzBGSSKYwMyceUGdLyaciGEZJ-xT-7lXQw