Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates
Socket’s Threat Research Team found malicious Chrome and Firefox VPN extensions that posed as free privacy tools while secretly stealing clipboard contents through staged updates. The campaign used shared infrastructure, browser-specific proxy features, and hardcoded endpoints to exfiltrate copied secrets from users of VPN Go: Free VPN and Free VPN by VPN GO. #VPNGo #FreeVPNbyVPNGO #SocketThreatResearchTeam #178236252133 #77291123187 #178236252161

Keypoints

  • The Chrome Web Store and Mozilla Firefox Add-ons hosted extensions branded as VPN Go: Free VPN / Free VPN by VPN GO.
  • Both extensions included legitimate-looking proxy/VPN functionality but also hidden clipboard-stealing code.
  • The malicious behavior was introduced through staged updates, with earlier versions appearing benign and later versions adding clipboard exfiltration.
  • Chrome versions 1.1 and 1.2 exfiltrated clipboard data to 178.236.252.133, while version 1.3 moved to 77.91.123.187.
  • Firefox version 1.3.3 used 178.236.252.161 for clipboard theft, and version 1.3.4 later moved to 77.91.123.187.
  • The malware continuously read clipboard contents, split them into chunks, tagged them with session IDs, and sent them over HTTP GET requests.
  • The extensions were reported to Google and Mozilla for review and removal, and copied secrets should be considered exposed.

MITRE Techniques

  • [T1176.001] Software Extensions: Browser Extensions – The threat was delivered through malicious browser add-ons that users installed from official extension stores (‘browser extensions operating under the VPN Go: Free VPN branding’).
  • [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – The extensions were altered through staged malicious updates after appearing legitimate (‘staged malicious-update pattern’).
  • [T1204] User Execution – Users had to install and keep using the extension, believing it was a free VPN tool (‘Users routinely copy passwords… A browser extension with clipboard access does not need…’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The malicious logic was implemented in JavaScript inside extension scripts (‘the script… reads the clipboard… and sends those chunks’).
  • [T1115] Clipboard Data – The extensions monitored and stole copied text from the clipboard (‘continuously monitors copied text and exfiltrates it’).
  • [T1027] Obfuscated Files or Information – The code used obfuscation and arithmetic/string tricks to hide malicious behavior (‘lightly obfuscated with meaningless variable names, escaped property strings, and arithmetic constants’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration used HTTP GET requests to web endpoints (‘sends those chunks to hardcoded HTTP endpoints’).
  • [T1041] Exfiltration Over C2 Channel – Clipboard data was transmitted to attacker-controlled infrastructure (‘exfiltrating copied data to hardcoded threat actor-controlled infrastructure’).
  • [T1036] Masquerading – The extensions pretended to be legitimate VPN tools with privacy-focused messaging (‘present themselves as free VPN tools’ and ‘privacy-focused positioning’).

Indicators of Compromise

  • [Extension names / IDs] Malicious browser add-ons posing as VPN tools – VPN Go: Free VPN, Free VPN by VPN GO, jgpfgonjjolillilkjfkiddakagkkpoj, vpngo@vpngo[.]com
  • [Domains / URLs] Privacy policy and exfiltration infrastructure – telegra[.]ph/Privacy-Policy-12-11-127, /html/continue[.]php, /locations
  • [IP addresses] Clipboard exfiltration and proxy-location endpoints – 178[.]236[.]252[.]133, 77[.]91[.]123[.]187, and 178[.]236[.]252[.]161
  • [SHA256 hashes] Confirmed malicious extension packages – 43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56, b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c, and 72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2
  • [SHA256 hashes] Confirmed malicious Firefox packages – fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97, 2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2
  • [Bearer tokens] Hardcoded API authentication tokens – 11f01e8296a074e6e3b23e9413c51f205d4b6a14146fb4d95bec291d768a9071, 7386252b9a86e5357e6aa884326720abf015465a2567e75717830b6688ef05cc
  • [File names / script paths] Malicious extension components – scripts/version.js, scripts/background.js


Read more: https://socket.dev/blog/chrome-and-firefox-extensions-free-vpns-add-clipboard-stealers