Chrome browser extension ‘SearchBlox’ installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform.
BleepingComputer has been able to analyze the extension code which indicates the presence of a backdoor, introduced either intentionally by its developer or after a compromise.
Chrome extension targets Roblox players
The ‘SearchBlox’ extensions found on the Chrome Web Store appear to be compromised, BleepingCompuer has observed.
There are two search results for ‘SearchBlox’ on Chrome. These extensions claim to let you “search Roblox servers for a desired player… blazingly fast” but both contained the backdoor.
The IDs of these unsafe extensions are:
blddohgncmehcepnokognejaaahehncd
ccjalhebkdogpobnbdhfpincfeohonni
Early morning hours of Wednesday, suspicions arose among the Roblox community members of SearchBlox containing malware.
“Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED – if you have it, your account may be at risk,” tweeted RTC, an unofficial Roblox news and community account.
“Please change your passwords if you have it – and credentials, so that way your account is secure again.”
We downloaded the Chrome extension for analysis and for the first extension (blddohgncmehcepnokognejaaahehncd) downloaded by over 200,000 users, the backdoor exists on line 3 of the ‘content.js’ file:
For the second extension (ccjalhebkdogpobnbdhfpincfeohonni) with just 959 downloads, the backdoor resided within the ‘button.js’ file.
The offending URL in either case is:
hxxps://searchblox[.]site/image.png/image.txt
As if the URL structure ‘image.png/image.txt’ itself wasn’t already interesting, the page contains HTML code that pretends to display an image using the ‘<img>’ tag, but instead loads obfuscated JavaScript that is further encoded as HTML character entities (using the ‘&’ and ‘#’ symbols):
The code when decoded yields obfuscated code which further appears to be exfiltrating Roblox credentials to another domain: releasethen.site.
Of note is the fact that both ‘searchblox.site’ and ‘releasethen.site’ were registered this month and share a common web host, Hostinger.
The code also appears to survey a player’s profile on Rolimons.com, a Roblox trading platform. This detail becomes relevant given today’s account suspensions on the platform, as explained in the following section.
‘SearchBlox’ a repeat offender
Unfortunately, it doesn’t seem like the first time a malicious ‘SearchBlox’ extension has targeted Roblox users either.
In October, Google reportedly took down another ‘SearchBlox’ sitting on the Chrome Web Store since at least Jun 28th, 2022.
As to whether the backdoor was injected in the extension after compromise by a threat actor or introduced intentionally by the developer is something that’s yet to be authoritatively determined.
There is some speculation among Roblox community members [1, 2, 3, 4] who have noticed the inventory of user ‘Unstoppablelucent’, purportedly the extension’s developer, multiply overnight whereas Rolimons user ‘ccfont’ has been terminated today over suspicious inventory trades.
Both the extension as well as the offending URLs have a clean VirusTotal reputation at the time of writing, making detection of these malicious extensions a whole lot harder.
Suffice to say, anyone who has installed ‘SearchBlox’ should remove the extension immediately, clear their cookies and change their passwords for Roblox, Rolimons, and other websites they may have logged into while the extension was in use.
BleepingComputer has notified Google of the malicious extensions prior to publishing.