Threat Research

Threat in your browser: what dangers innocent-looking extensions hold for users

Securonix

Browser extensions can be convenient, but many disguise real threats, collecting data, showing affiliate ads, or even stealing credentials. The report documents several malicious and unwanted extension families (WebSearch, DealPly, AddScript, FB Stealer) and explains how they abuse extensions to monetize through data harvesting, adware, and credential theft. #WebSearch #DealPly

Keypoints

  • In H1 2022, 1,311,557 users attempted to download malicious or unwanted extensions, over 70% of the prior year’s figure.
  • From Jan 2020 to Jun 2022, more than 4.3 million unique users were attacked by adware hiding in browser extensions (about 70% of all affected users).
  • WebSearch was the most common threat in early 2022, redirecting to affiliate links and tracking queries via a changed start page and search engine.
  • DealPly-related extensions persist via registry entries and update URLs, sometimes delivered after installing a loader from untrusted sources.
  • AddScript hides malicious JavaScript behind legitimate-looking functions, retrieves code from a C2, and can perform cookie stuffing or covert video playback.
  • FB Stealer is particularly dangerous because it can steal Facebook session cookies and user credentials, sometimes delivered as a trusted-looking Google Translate extension.
  • Users are advised to review permissions, install only from trusted stores, limit extensions, and use robust security solutions to mitigate risk.

MITRE Techniques

  • [T1059.007] JavaScript – The AddScript threat loads and executes malicious JavaScript delivered from a C2 server; β€œβ€˜When the extension is running, it contacts a hardcoded URL to get the C&C server address. It then establishes a connection to the C&C server, receives malicious JavaScript from it, and runs it covertly.’”
  • [T1027] Obfuscated/Compressed Files and Information – The malicious code in AddScript is obfuscated; β€œβ€˜The malicious code is obfuscated.’”
  • [T1112] Modify Registry – DealPly achieves persistence by creating registry branches; β€œβ€˜To provide persistence for its extensions, DealPly creates the following branches in the Windows registry:’”
  • [T1566] Phishing – Developer account hijacked after phishing; β€œβ€˜When an account of the developer of a popular add-on was hijacked after a phishing attack, millions of users received adware on their devices without their knowledge.’”
  • [T1113] Screen Capture – Extensions can take screenshots; β€œβ€˜even take screenshots’”
  • [T1056.001] Input Capture – Keylogging – Some extensions can act as keyloggers; β€œβ€˜monitoring software that is able to track and capture everything users type’”
  • [T1539] Steal Web Session Cookie – Cookies and credentials are stolen via extensions; β€œβ€˜steal login credentials and other sensitive information. In addition to stealing cookies and data copied to the clipboard’”
  • [T1555.003] Credentials from Web Browsers – Credentials and cookies can be stolen from browsers; β€œβ€˜steal login credentials and other sensitive information’”
  • [T1036] Masquerading – Some threats impersonate legitimate extensions; β€œβ€˜impersonate a popular legitimate extension’”

Indicators of Compromise

  • [MD5] WebSearch extension MD5 – dd7bd821cd4a88e2540a01a9f4b5e209, and 4 more (see article)
  • [Extension ID] WebSearch extension IDs – kpocjpoifmommoiiiamepombpeoaehfh, fncbkmmlcehhipmmofdhejcggdapcmon, mallpejgeafdahhflmliiahjdpgbegpk, ceopoaldcnmhechacafgagdkklcogkgd, mabloidgodmbnmnhoenmhlcjkfelomgp
  • [MD5] DealPly installer MD5 – E91538ECBED3228FF5B28EFE070CE587
  • [MD5] DealPly-related extension MD5 – 38a7b26c02de9b35561806ee57d61438
  • [MD5] AddScript extension MD5 – 28a18438e85aacad71423b044d0f9e3c
  • [Extension IDs] DealPly-related extension IDs – bifdhahddjbdbjmiekcnmeiffabcfjgh, ncjbeingokdeimlmolagjaddccfdlkbd, nahhmpbckpgdidfnmfkfgiflpjijilce, pilplloabdedfmialnfchjomjmpjcoej
  • [MD5] FB Stealer installer MD5 – 5010c3b42d269cb06e5598a5b1b143a5
  • [FB Stealer IDs] FBStealer extension IDs – colgdlijdieibnaccfdcdbpdffofkfeb, fdempkefdmgfcogieifmnadjhohaljcb
  • [URL] Update URL (DealPly) – juwakaha.com/update
  • [Domain] Domains related to incidents – search.myway.com, juwakaha.com, ctcodeinfo.com, www.ctcodeinfo.com
  • [Registry Keys] Example persistence keys – HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeGoogleChromeExtensionsbifdhahddjbdbjmiekcnmeiffabcfjgh and HKEY_CURRENT_USERSoftwareGoogleChromeExtensionsbifdhahddjbdbjmiekcnmeiffabcfjgh

Read more: https://securelist.com/threat-in-your-browser-extensions/107181/