This article explains how researchers obtained and analyzed malicious browser extensions that bypass Google Chrome’s Manifest V3, detailing sample acquisition, cryptanalysis, and payload decryption methods. It also maps identified behaviors to MITRE techniques and lists multiple domains used as command-and-control infrastructure. #ManifestV3 #GenesisMarket
Keypoints
- Walkthrough for acquiring malicious browser extension samples using freely available resources and marketplaces.
- Search methods for finding related samples based on unique features and directory structures within extensions.
- Cryptanalysis and decryption techniques for extracting hidden payloads, using tools like PowerShell and Python.
- Obfuscation and encryption were used by the extensions to hinder analysis and detection.
- Researchers documented the evolution and increasing complexity of malicious browser extensions over time.
- Multiple domains were identified as indicators of compromise and used for command-and-control operations.
MITRE Techniques
- [T1071] Command and Control – Used multiple command and control domains to maintain communication with compromised systems (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
- [T1022] Data Encrypted – Malware encrypts data to prevent detection and analysis (‘Encrypts data to prevent detection and analysis.’)
- [T1027] Obfuscated Files or Information – Obfuscation techniques hide code and payloads within extension files (‘Uses obfuscation techniques to hide the true nature of files or information.’)
Indicators of Compromise
- [domain] C2 and infrastructure domains – root-head[.]com, gzipdot[.]com, and 16 more domains