Dormant Colors describes a widespread campaign of malicious browser extensions that infect millions of users via malvertising, then covertly load and update weaponized code to harvest data and enable targeted fraud. The investigation exposes a robust, globally distributed infrastructure capable of search hijacking, credential theft, and affiliation hijacking, with a looming potential for broader attacks against organizations. #DormantColors #BadExII
Keypoints
- The Dormant Colors campaign comprises millions of active installations of color-themed malicious extensions for Chrome and Edge.
- Infection starts with Malvertising, a deceptive distribution method used to get users to install the extensions.
- The extensions contain a hidden “Backdoor Code Injection Weaponizer Flow” that loads malicious scripts and establishes a vast command & control network.
- The malware can siphon search data, harvesting credentials and user data, and it can target specific sites through a large list of affiliated domains and 10,000+ target sites for spear phishing and credential theft.
- The campaign uses side-loading techniques and dynamic DOM manipulation to inject code and evade detection, including obfuscated scripts and generated style elements.
- In addition to data theft, the actors monetize via an “Affiliation Hijacker” that redirects users to affiliate links and ads for various sites (AliExpress, Amazon, etc.).
- Guardio’s analysis shows the operation is ongoing, with a scalable infrastructure and continuous variant generation, enabling future extensions and flows.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising used to distribute Dormant Colors extensions. ‘Malvertising campaign making you install one of many Dormant-Colors extensions’
- [T1105] Ingress Tool Transfer – The extension fetches malicious scripts from remote resources (e.g., getcolor1.php). ‘The getcolor1.php returns a nasty and LONG page with tons of scripts full of string arrays and some obfuscated code.’
- [T1059] Command and Scripting Interpreter – The extension loads and executes JavaScript through dynamic code, including obfuscated calls. ‘along this redirect chain… the next redirect was forced by code in the page itself’ and ‘the malicious scripts’
- [T1027] Obfuscated/Compressed Files and Information – The scripts are obfuscated to hide functionality. ‘tons of scripts full of string arrays and some obfuscated code’
- [T1566.001] Phishing: Spearphishing Link – The campaign uses deceptive pages (phishing login pages) and redirects to credential-stealing pages. ‘phishing fake log-in pages instead of account login pages’
- [T1071] Web Protocols – The campaign relies on web-based C2 communications and hosted resources (e.g., C2 servers and redirect domains). ‘C2 infrastructure abusing your browser’ and domains like superofferss.com
Indicators of Compromise
- [Domain] Example domains involved in the campaign – smashaff[.]com, smashofferss[.]com, superofferss[.]com, smashsearches[.]com, 005gs[.]com
- [Domain] Additional domains used for redirection and affiliation – isloov[.]com, changecolorss[.]com, simpledark-tab[.]com, websearches[.]club
- [Extension ID] Malicious extensions IDs – edbgoocdeaamfeeeocpfkpfjmjnmhcla, egfchmabkmedeeempggjnolmijhfdagi, opkokhpmbgjdfjbggnmdnoekjknnaghh
- [URL] Redirection and tracking endpoints – https://nkingwithea[.]com/?tid=956865&subid=typage, https://superofferss[.]com
- [URL] Get payload script – getcolor1.php
- [Domain] Affiliates and hijack targets – smashaff[.]com, smashofferss[.]com, smashsearches[.]com, 365games.co.uk (affiliate redirects)