VERY IMPORTANT

This blog post brings more technical details on CacheFlow: a threat that Avast first reported about in December 2020. Avast described a huge campaign composed of dozens of malicious Chrome and Edge browser extensions with more than three million installations in total. Avast alerted both Google and Microsoft about the presence of these malicious extensions on their respective extension stores and are happy to announce that both companies have since taken all of them down as of December 18, 2020. CacheFlow was notable in particular for the way that the malicious extensions would try to hide their command and control traffic in a covert channel using the Cache-Control HTTP header of their analytics requests. Avast believes this is a new technique. In addition, it appears that the Google Analytics-style traffic was added not just to hide the malicious commands, but that the extension authors were also interested in the analytics requests themselves.