Some ethereum mining malicious extension?

leocg

leocg Moderator Volunteer @Iorweth last edited by leocg

@iorweth See https://forums.opera.com/topic/43601/instructions-on-posting-about-problems-in-opera-for-windows/1

And that log4.js had been in the news recently.

blackbird71

blackbird71 @Iorweth last edited by blackbird71

@iorweth Some of the latest "in the wild" exploits of the recently-discovered log4j2 Java security vulnerabilities use them for hidden crypto-currency mining on behalf of the hackers. It appears that a computer with which that extension or its host communicates is being attacked or has been hacked by such an exploit. Normally this isn't a browser issue per se since most web browsers themselves contain no Java code. However, if the browser's host system or a server with which it communicates contains Java code, then it's possible for a hacker to try to activate the log4j2 vulnerability within that Java. Once a hacker has exploited the log4j2 vulnerability, they can essentially take over the computer/server and cause it to do whatever they wish.

See the posts at: https://forums.opera.com/post/270129

1. Do you have Java on your system?
2. What extensions are on your system (particularly one that might be associated with that extension label)?
3. Was there a particular website that triggered the message (if so, which)?

Iorweth

Iorweth last edited by

@blackbird71
Wow, that "log4j2 " exploit looks terryfing O.o

1. Yes I do. I think some applications I run still require java. I will try to uninstall it for the time beeing.
2. I don't know I have those active as on pic. I didn't install any new once recently. For the time beeing I will disable them all as @leocg recommends .
3. https://dhl24.com.pl
   (I need to send some items, was checking the service out for the 1st time)

Thanks for the answer!

blackbird71

blackbird71 @Iorweth last edited by blackbird71

@iorweth In looking closer at your original error message, the "Log4js" reference actually points to the logging framework for JavaScript. The callout of the enegjkbbakeegngfapepobipndnebkdk extension points to an Opera internal extension (known as Rich Hints Agent). Given that you had a Java installation on your system, an attempted callout to Java's "Log4j2" (aka "Log4jshell") library module may also have been involved. Given that the DHL website is a shipping site, it would not normally be expected to be high-risk for hosting a crypto-miner.

A general explanation may be that either something associated with the Rich Hints internal extension (or a reference website it may have accessed in its normal operation) or that had been hacked into the DHL website you were visiting was using JavaScript coding that contained a code snippet which attempted to enable an ethereum crypto-currency hacking/hijacking routine. Either that attempt involved some kind of JavaScript exploit itself (they do exist) or was a failed attempt to invoke the Log4j2 vulnerability in your system's Java installation which misfired and routed instead to the similarly-named Log4js JavaScript logging module.

All that said, for safety's sake, either you should continue with Java removed from your system or else update its Log4j2 module with the latest patched version (at present, log4j2.17... the 2.15 and 2.16 versions were earlier attempts to patch the vulnerability but have been found to contain holes in that protection). Right now, given that the vulnerability seems to still be evolving, discretion probably suggests keeping Java removed until it's been proven that the Log4j2.17 patch is truly effective. There are some other technical methods to try to screen a Java installation from being exploited in this way, but they may be beyond the average user's technical skills to implement. Any web-facing system containing Java remains at risk, whether a website, server, or an individual computer... the vulnerability allows an attacker to fully exploit and control all aspects of an infected system by executing a Java command, either directly or embedded into something else.

Other than that, it's also possible that your TamperMonkey extension had some passive role in this, given that it exists to implement user JavaScript modules, and possibly one of the user JavaScripts was somehow entangled in the whole business as well. Without a lot more hands-on analysis on your system and the website itself, it's rather conjectural as to what actually went down.

In case you want to get into the technical nuts and bolts of how a sample crypto-mining Java Log4j2shell attack works, there's a detailed writeup at SANS: https://isc.sans.edu/forums/diary/Example+of+how+attackers+are+trying+to+push+crypto+miners+via+Log4Shell/28172/

peteee

peteee @Iorweth last edited by

@iorweth Nothing to do with Log4j, its added in by Opera themselves; for me the extension first installed around the same time as this article (https://blogs.opera.com/tips-and-tricks/2021/04/say-hello-to-web3-as-opera-adds-native-support-to-unstoppable-domains/) and it's manifest says Opera Software AS as author.

I just came across this today myself, and upon deleting its folders out of suspicion, on restart Opera announced an extension was corrupt, and immediately redownloaded it. I have no extensions installed otherwise, and this one is invisible too.

At first glance it seems to be connected to the Wallet feature, but I have that turned off. But it looks benign otherwise...I wish there was a way to get more info about these little add-ins.

burnout426

burnout426 Volunteer last edited by

You can goto the URL chrome-extension://enegjkbbakeegngfapepobipndnebkdk/web3_insights_page.js to see the source of the Javascript file from Opera's built-in component Rich Hints extension. You'll see there's not much code there. But, what's there has to do with Ethereum.

peteee

peteee @burnout426 last edited by peteee

@burnout426 Thank, you can also see the rest of the files in the extensions folder in %user%/appdata/remote/(etc...) which has a list of websites and something to do with earning 'rewards'.

What I had meant was I wish Opera displayed these hidden extensions in the extensions list. Or state publicly what they are/do. I've never installed an extension, and the list only shows the disabled Opera ad blocker. Yet the extensions folder shows 3 recently updated, and claim to be official. And a script name like 'web3_insights' makes me think they are scraping and selling my browsing data.

The OP is a serious security concern that doesn't have an official response. Even appearing benign, the script has no explanation. Its nice to have a helpful community, but so far there are just guesses, when the actual answer needs to come from the people who wrote the code.

burnout426

burnout426 Volunteer @peteee last edited by burnout426

@peteee said in Some ethereum mining malicious extension?:

I wish Opera displayed these hidden extensions in the extensions list.

You can make that happen by launching Opera with the --show-component-extension-options command-line switch. It's how you do it in other Chromium-based browsers too.

That just basically shows them though. You can't disable them (doing so would break things in most cases anyway) or see much of an explanation of what they do besides their names.

peteee

peteee @burnout426 last edited by peteee

@burnout426 Thank you, I'll try that, although not being able to disable raises the question if a malicious extension can install itself with this restriction, or only official ones.

And pardon the (apparently, on second read) panicky tone of my post. Its just all just a little frustrating. I appreciate your help

burnout426

burnout426 Volunteer @peteee last edited by

@peteee No. Opera protects itself. You're all good.