Keypoints
- The malicious extension impersonates a popular open-source “ChatGPT For Google” project by forking its code and adding cookie-stealing functionality.
- Distribution used malicious sponsored Google search results that redirected victims to landing pages and the official Chrome Web Store listing.
- On installation the extension’s onInstalled handler calls chrome.cookies.getAll, filters Facebook-related cookies, and formats them into a string.
- Cookies are encrypted with AES using the key “chatgpt4google” and sent in a GET request to a C2 hosted on workers.dev via a custom X-Cached-Key HTTP header.
- The C2 responds with a generic 404, while attackers can decrypt the header to obtain session cookies and hijack Facebook accounts.
- At time of reporting the malicious extension had 9,000+ installs and was removed from the Chrome Store after disclosure.
- IOCs include landing pages, the Chrome extension ID, the Chrome Store URL, and the C2 URL on workers.dev.
MITRE Techniques
- [T1204] User Execution – The campaign tricks users into installing a malicious extension via a sponsored search landing page and Chrome Store listing (‘you search for “Chat GPT 4” … ending up clicking on a sponsored search result promising you just that’).
- [T1566] Phishing – Use of malicious sponsored Google search results to lure users to install the extension mimics a search-engine-based phishing technique (‘malicious sponsored Google search results … This redirects you to a landing page offering you ChatGPT’).
- [T1539] Steal Web Session Cookie – The extension collects browser cookies and filters Facebook-related cookies using chrome.cookies.getAll and a custom filter function et() (‘et() is filtering Facebook-related cookies from the full list acquired with the Chrome Extension API’).
- [T1027] Obfuscated Files or Information – The malicious change is hidden inside otherwise-genuine open-source code and includes deobfuscated snippets in analysis; the forked code blends with legitimate functionality (‘the product function as expected and impossible to distinguish’).
- [T1036] Masquerading – Attackers forked and slightly modified a well-known open-source project to masquerade a malicious extension as the genuine “ChatGPT For Google” (‘they just forked and edited a well-known open-source project that does exactly that’).
- [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration of encrypted cookie data uses HTTPS GET requests to a workers.dev host with a custom HTTP header (‘GET https://version.chatgpt4google.workers.dev/ … X-Cached-Key: …’).
- [T1041] Exfiltration Over C2 Channel – AES-encrypted cookie data is sent in an HTTP header to a command-and-control endpoint hosted on workers.dev for attacker retrieval (‘the cookies list is encrypted with AES and attached to the X-Cached-Key HTTP header value’).
Indicators of Compromise
- [Landing page domains] Malicious landing pages used to promote the extension – https://www[.]chatgptforgoogle[.]pro, https://www[.]chatgptgoogle[.]org
- [Extension ID] Malicious Chrome extension identifier – hacfaophiklaeolhnmckojjjjbnappen
- [Chrome Store URL] Malicious extension page on the official store – https://chrome.google.com/webstore/detail/chatgpt-for-google/hacfaophiklaeolhnmckojjjjbnappen
- [C2 Server] Command-and-control endpoint receiving exfiltrated cookies – https://version[.]chatgpt4google[.]workers[.]dev
<li/[Encryption key] Key used for AES encryption of stolen cookies – chatgpt4google (used as AES key)
The extension is distributed via sponsored Google search ads that lead to landing pages prompting users to install a Chrome Store extension. After installation the malicious onInstalled handler calls Browser[qn].getAll({}) (chrome.cookies.getAll) to retrieve all browser cookies, then runs a filter function (et()) that selects cookies whose domain contains “facebook” and formats each cookie into a space-delimited string including domain, hostOnly, path, secure flag, expiration, name, and value.
The formatted cookie list is encrypted with AES using the static key “chatgpt4google” via fa.default.AES.encrypt(…).toString(), and exfiltrated in a single HTTPS GET request to a workers.dev-hosted C2: https://version.chatgpt4google.workers.dev/. Instead of placing data in the request body, the extension sets the encrypted payload in a custom request header X-Cached-Key to evade simple DPI/inspection; the C2 returns a 404 while attackers can decrypt the header to recover live Facebook session cookies.
With those session cookies attackers can hijack Facebook sessions, change account details, and use compromised profiles for automated posting and advertising. Relevant technical IOCs include the landing domains (chatgptforgoogle.pro, chatgptgoogle.org), the Chrome extension ID (hacfaophiklaeolhnmckojjjjbnappen), and the C2 URL on workers.dev used for encrypted exfiltration.