LNKR: More than Just a Browser Extension

LNKR is malware that uses browser extensions for Chrome to track browsing activities of users and overlay ads on legitimate sites. Using extensions to add code that executes in a user's browser is a common and lucrative monetization technique on the internet, where spyware, adware, and other browser-based nuisances have thrived since the early days.

LNKR spreads via illegitimate browser extensions, which add malicious Javascript to web pages a user visits. This code allows LNKR to record browser sessions to identify frequently visited sites, and overlay ads from which threat actors can monetize. However, LNKR is a bit more robust than your average malicious browser extension—it also looks for pages to which a user has write-access and can edit. With this access, the cyber threat can inject JavaScript code directly on the site to spread beyond the limited scope of a browser extension. While we have not observed LNKR uploading any external JavaScript other than its own, the ability to inject JavaScript allows threat actors to upload any kind they want, including Magecart or other malware.

Seeing the Cyber Threat

RiskIQ crawlers don't install extensions, but the data we collect from our global discovery platform gives us unique insight into the LNKR threat. We can use known LNKR command and control (C2) domains and our Host Pairs data set, to determine if there was any inventoried infrastructure making calls to these C2 domains

Host pairs are unique relationships between pages that are observed by RiskIQ when we crawl a web page. Each pair has a direction of child or parent and a cause that outlines the relationship connection. These values provide insight into redirection sequences, dependent requests, or specific actions within a web page when it loads. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page.

Sure enough, we identified a trove of sites that had child requests making calls to LNKR C2 servers. After reviewing these sites, we found that the domains, as well as the format of the requests, matched LNKR. We were then able to determine if any of the affected parent websites existed within any of our customers' digital asset inventory, which proved beneficial to them.

Preventing the Cyber Threat

RiskIQ monitors our customers' web applications, JavaScript, and third-party JavaScript daily for added or changed resources, including code hosted by third parties. If a website editor with an installed LNKR extension edited a page, LNKR would likely add two script tags to the page calling out to LNKR command and control domains. Our JS Threats module would identify these as new javascript resources at the time of their first appearance on the site and generate a resource change event. RiskIQ's cyber threat analysis has the ability to maintain a history of resources and track changes in JavaScript on a website allows us to surface these kinds of events and provide an exact timeline of compromise during incident response.

Unique Visibility into Your JavaScript

Malicious JavaScript has become a leading attack pattern for breaches in the Retail, Professional Services, Finance, and Manufacturing industries. Security executives need to be confident in their defensive postures outside the firewall, especially regarding their companies' own and third-party JavaScript in critical assets.

RiskIQ has the data to identify unique cutting edge attacks and the tools to comb through and assess the impact of previously unknown compromises. This ability is a distinct advantage for our customers, and paired with the ability to proactively monitor for changes in our customer's websites with JS Threats, RiskIQ is a critical piece of defense against external cyber threats.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor