Behind an entire catalogue of malicious Chrome extensions? Allegedly, a domain registrar

Security company has accused an Israeli domain registrar for registering thousands of malicious domains powering Chrome malware

Ax Sharma


Originally published at on June 26, 2020.

It is not unusual for malware to use malicious C&C servers and domains. However, what we learn this week is something entirely different, sinister and going at a much larger scale.

In a report published by the Awake Security Threat Research Team this week, we learn of an internet domain registrar which has enabled domain registrations, of which almost 60% are for malicious domains!

The Israeli company, CommuniGal Communication Ltd. aka GalComm continues to run its operations today.

“Of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, are malicious or suspicious: hosting a variety of traditional malware and browser-based surveillance tools.”

Awake Security has stated that some evasion techniques were at play that let the malicious domains slip past most security controls and detection tools.

“Through a variety of evasion techniques, these domains have avoided being labeled as malicious by most security solutions and have thus allowed this campaign to go unnoticed.”

The malicious domains that are used by at least 111 Chrome extensions identified by Awake Security were all hosted by the same registrar. These harmful extensions had the capability to screenshot a victim’s machine, access clipboard, copy credentials (tokens, cookies, passwords), act as a keylogger and transmit this data to the attackers.

“In the past three months alone, we have harvested 111 malicious or fake Chrome extensions using GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc”