Chinese Browsers: The Perfect Reconnaissance Tool

One of our trusted partners from Poland, Exatel S.A., has discovered that a web browser developed by Maxthon, a company from China, has been collecting sensitive data from its users.  The Maxthon browser has anywhere from .75-1% of the global browser market, and has been estimated to be 2-3% of China’s own domestic browser market.  Total global user count is estimated to be in the hundreds of millions.

You can read their full report here:

English:  https://exatel.pl/advisory/maxthonreporten.pdf

Polish: https://exatel.pl/advisory/maxthonreportpl.pdf

Using the Fidelis Network solution, Exatel found that there was a periodic upload of encrypted content to China from the Maxthon browser.  The uploaded content-type was purported to be “image/pjpeg”, but Fidelis had found that the filename was actually a zip and there was a dat.txt file included.

This is the part that gets fishy. Upon extracting and examining the dat.txt, it was discovered that the file was encrypted.  Why would a browser be trying to obfuscate a payload like that?  Exatel dug deeper by doing some reverse engineering inside of the browser binary and found common encryption routines (AES-128-ECB) being used as well as the passphrase: ‘eu3o4[r04cml4eir’.

Exatel was able to decrypt the dat.txt and found amazing results in the contents, Maxthon was transmitting:

• Endpoint information such as:
  • OS version, screen resolution.
  • CPU type/speed and amount of memory installed.
  • Location of the Maxthon executable.
  • Status of adblock (enabled or not, number of ads blocked).
  • Homepage URL.
• Each and every full URL that the user visited (including the user’s google searches).
• List of installed applications including their version numbers.

Screenshot of dat.txt showing a URL:

Screenshot of dat.txt showing a list of installed applications and their versions:

Upon further investigation, Maxthon does have an opt-in for users to send some basic data back for analysis.  According to their website and forums, the User Experience Improvement Program’s (UEIP) goal is to gather statistics and datapoints using voluntary and anonymous means in order to help with debugging and performance.  Exatel and Fidelis observed that the sensitive data contained in dat.txt was being sent back to Maxthon regardless of the user’s selection to participate in the UEIP.

Essentially, the information that is being transmitted back contains almost everything you would want in conducting a reconnaissance operation to know exactly where to attack.  Knowing the exact operating system and installed applications, and browsing habits it would be trivial to send a perfectly crafted spearphish to the victim or perhaps setup a watering hole attack on one of their most frequented websites.

I think that this discovery raises two very important points:

1. Companies, countries and users need to be aware of the potentially egregious data capture happening through installed applications and leaving their respective organizations (and endpoints). Organizations such as Citizenlab have also published similar discoveries but there is still relatively low awareness of these practices.

2. “Trust, but verify”: Often we’re installing software onto our endpoints at home and at work, but we’re not verifying that the code is doing what it is purported to do. Visibility into both the network and endpoints has become critical for organizations.

Exatel’s discovery is a great example of verifying and validating traffic.  We look forward to the opportunity to highlight more discoveries from our customers and partners.

Note to Users of Fidelis Network: Users will see alerts under the ‘TRT Attributed Intelligence’ rule for Maxthon browser exfiltration.

-Fidelis Cybersecurity CSO Justin Harvey