languagetool is used by malware to exfiltrate credit cards #11091
Comments
|
Thanks so much for reporting this. We (LanguageTool) are investigating this now. I'll keep you posted. |
|
Investigation is ongoing. However, the title is a bit misleading: LanguageTool only sends texts from multi-line text fields to servers. Password fields and credit card fields are intentionally not handled by the LanguageTool browser extension. |
|
That is interesting. So I investigated this after a credit card number was stolen, so I then started investigating how it happened. It might be that also some other fields are sent? Or that a particular website was using a multi-line text field? But I would doubt that malware writers would limit themselves only to such cases? So it might be that more than just multi-line text is send? |
|
Might be that someone put their credit card number on a multiline text field. We definitely don't send the value of single-line input fields to our servers (except for some hardcoded cases, e.g. subject line on Gmail). |
|
I doubt malware would rely on people accidentally copying values? In Google folder you can see the copy of the extension I made from the computer with malware. Maybe it is somehow patched/modified? |
|
FYI, the provided Canon printer driver |
|
@stefanb Thanks for the link, but I I am not sure where can I find that long history? I see only that it was analyzed, but I do not see that much has been found? To me it looks like a non-malicious driver which can be compromised (given that it is signed)? Or is it a malicious program just under this name? It does look strange that it is opening ports and connecting to the Internet. |
|
@mitar long history just means, that due to behaviour other people have also found it suspicious, worth checking for viruses. It could be, that a legit feature (network traffic relaying or high driver privilege) is sometimes abused for malicious purposes. |
TLDR: I think it would be useful to write somewhere that if you find this extension installed on your computer and you didn't install it, you probably have malware installed.
Alternatively, this extension could stop prevent itself from sending credit-card-number-looking data to organization-operated servers.
So I found an extension (added to all browsers, Firefox, Chrome, Edge) that I have not installed: A Grammar Checker & Paraphraser LanguageTool. It seems unchanged.
I wanted to remove it, but I could not. The browser was also configured to be managed by an organization:
And of course it is not. It is a personal device. But malware is making hard to remove it.
So I investigated this further and this extension has a feature that it can be managed and that organization can configure it so that it calls into organization-operated server and not a cloud server managed by the author of the extension. Seems reasonable, organization can prevent leaking company data this way.
On my computer this is configured to localhost. It is also configured to do this for all websites.
Who listens there? netstat says a Canon printer driver executable? Strange again. That executable seems legitimate (CNAB4RPD.EXE). I suspect it can be exploited so that it runs something else in memory. Opening the port in the browser loads the error that URI handler does not exit for /. It seems to be made with oatpp C++ web framework.
One other sign that your computer is compromised with this malware is that it disables (using managed computer feature) automatic submission to Windows Defender:
So malware compromises a legitimate printer driver to run a port to which the extension sends all web site form data (including credit card data entered into any web site), which is then send further to their servers. Pretty smart to hide malware this way.
I think this extension could help here a bit by not sending data from password fields and data which looks like a credit card number.
If anyone wants to explore this further, here is a Google Drive folder with all the files, including the
CNAB4RPD.EXEand a memory dump of the running process.The text was updated successfully, but these errors were encountered: