An unknown actor has been creating malicious Chrome browser extensions since early 2024, using fake websites to lure users into installing these extensions. These extensions provide some legitimate functionality but also connect to attacker-controlled servers to steal data, execute arbitrary code, and manipulate network traffic. #ChromeExtensions #Malware #BrowserSecurity #FakeWebsites #DataTheft
Keypoints
- An actor has deployed over 100 fake websites and malicious Chrome extensions since February 2024, targeting users with extensions themed around productivity, VPNs, crypto, banking, and media tools.
- The malicious extensions appear partially or fully functional but request excessive permissions to monitor all visited sites, execute arbitrary code, and communicate with attacker-controlled backend servers.
- Extensions typically hardcode actor API domains in key script files like “background.js” or “background.iife.js” to send system info and receive commands, including malicious network request rules.
- Common tactics include using a “onreset” event handler to bypass content security policies and employing JWT authentication with HMAC SHA-256 signed tokens based on the extension ID for secure communication.
- Some extensions steal all browser cookies by compressing and encoding them before sending them to attacker servers, enabling account compromise and session hijacking.
- The malicious actor’s domains share registration details (NameSilo registrar, Cloudflare DNS, SSL issuer “WE1”) and frequently use Facebook Tracker IDs for further analysis or tracking.
- Despite removals by the Chrome Web Store, the actor persists by leveraging trending topics like DeepSeek AI to entice installations, making user vigilance crucial.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Extensions execute arbitrary code delivered from backend servers via scripts injected into browser tabs (‘…arbitrary script execution it receives from the backend server and uses chrome.tabs.sendMessage to send it to the content script for execution…’)
- [T1071] Application Layer Protocol – The extensions communicate with attacker API servers using encrypted web requests and WebSocket connections to send system info and receive commands (‘…communicates with api.sprocketwhirl.top, sending encrypted system information and receiving dynamic rules and executable code…’)
- [T1555] Credentials from Web Browsers – Extensions collect browser cookies using chrome.cookies.getAll and exfiltrate them compressed and encoded to remote servers (‘…retrieves all browser cookies, compresses them using pako, encodes them in Base64, and sends them back to the backend…’)
- [T1090] Proxy – Extensions establish WebSocket proxy connections controlled by the attacker to route user traffic through malicious servers (‘…commands to establish a separate WebSocket connection to act as a network proxy…’)
- [T1569] System Services – Extensions modify network requests dynamically via declarativeNetRequest rules, enabling malicious redirects and ad injections post-installation (‘…fetches and applies declarativeNetRequest rules from the backend, allowing modification of network requests…’)
Indicators of Compromise
- [Domains] Malicious lure and API domains – manusai.sbs, forti-vpn.com, sitestats.world, api.sprocketwhirl.top, api.infograph.top, api.zorpleflux.top, api.glimmerbloop.top, and others listed on GitHub
- [Chrome Extension IDs] Identifiers linked to malicious extensions – aeibljandkelbcaaemkdnbaacppjdmom, ccollcihnnpcbjcgcjfmabegkpbehnip, fcfmhlijjmckglejcgdclfneafoehafm
- [File Hashes] SHA256 hashes of malicious CRX files – 3131d15ebea5eb68e636eb804b2de86cc04d8be5d1257c83f2042a391b8e9415, f4fe36cdc9bd1f16d9385e56155aca3723a267bcdf575e925e20bb9a6526b576, d6e179dcab901e81b3340aebaa3e517bb98b09f9fea01e667e594416c10efc44
- [IP/Hosting] Cloudflare infrastructure for DNS and hosting, indicating CDN usage to obscure origin servers
- [Facebook Tracker IDs] 2696720993868113, 416208351532463, 312497404888286, and others used for tracking by the actor
Read more: https://dti.domaintools.com/dual-function-malware-chrome-extensions/