ReasonLabs researchers identified a widespread polymorphic malware campaign called the Extension Trojan that forcefully installs browser extensions to deliver adware and steal data, affecting over 300,000 users on Google Chrome and Microsoft Edge. The investigation uncovered extensive DNS indicators of compromise, including 84 email-connected domains and 28 IP addresses (24 malicious), with many domains registered in Iceland, and additional artifacts available from the researchers’ site. #ExtensionTrojan #ReasonLabs #GoogleChrome #MicrosoftEdge #Iceland #Namecheap #Cloudflare #DanescoTradingLtd #WHOIS #DNS
Keypoints
- The Extension Trojan is a polymorphic malware campaign that forcefully installs extensions, delivering adware scripts and more sophisticated payloads to steal private data.
- At least 300,000 users across Google Chrome and Microsoft Edge have been affected.
- researchers identified 84 email-connected domains, 28 IP addresses (with 24 malicious), and 38 string-connected domains related to the IoCs.
- 19 of the 22 IoCs had public WHOIS records; most domains were registered in Iceland.
- Threat actors used newly registered domains since 2021, with multiple domains created in 2021 and 2024.
- Additional artifacts related to the IoCs are available for download from the research team’s website.
MITRE Techniques
- [T1071] Initial Access – Use of malicious browser extensions to gain initial access to user systems. ‘Use of malicious browser extensions to gain initial access to user systems.’
- [T1203] Execution – Execution of malicious scripts delivered through browser extensions. ‘Execution of malicious scripts delivered through browser extensions.’
- [T1003] Credential Access – Stealing private data through malicious extensions. ‘Stealing private data through malicious extensions.’
- [T1071] Command and Control – Utilizing compromised domains for command and control communications. ‘Utilizing compromised domains for command and control communications.’
- [T1041] Exfiltration – Exfiltration of sensitive data through malicious extensions. ‘Exfiltration of sensitive data through malicious extensions.’
Indicators of Compromise
- [Domain] IoCs comprise 84 email-connected domains and 38 string-connected domains – example: Iceland-registered domains among the IoCs and the initial 22 domains identified.
- [IP Address] Malicious IP addresses identified in threat intelligence – 104.21.3.7, 104.21.17.222, 104.21.24.148, 172.67.129.252, 104.21.32.227, and other related addresses (24 of 28 IPs malicious).
- [Email Address] Historical and public email addresses linked to IoCs – 26 email addresses found in historical WHOIS records, with 4 public addresses identified.
Read more: https://circleid.com/posts/20240914-extended-reach-of-extension-trojan-campaign-in-dns