A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users.
These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud.
The threat actor behind this campaign is believed to have acquired access to some of these extensions from their original developers rather than through a compromise, and has been trojanizing extensions since at least July 2024.
Malicious Operations
The malicious extensions operate by checking in with unique configuration servers, transmitting extension versions and hardcoded IDs, and storing configuration data locally.
They also create alarms to refresh this data periodically and degrade browser security by stripping Content Security Policy (CSP) protections.
This allows the threat actor to inject obfuscated JavaScript payloads into web pages, potentially leading to sensitive information leakage and unauthorized access.
The extensions were identified to use Bunny CDN infrastructure and DigitalOcean Apps for their configuration servers, with consistent headers indicating a single Express application.
Impact
The threat actor’s attack chain involves a complex multistage process that has not been fully replicated.
However, it is known that the malicious extensions can modify network filtering rules to make automated requests appear organic, block tracking services, and allow advertising domains.
According to the GitLab Report, this sophisticated campaign poses a significant threat to users and organizations, as it exploits the trust in the Chrome Web Store and the automatic update mechanism of browser extensions.
Following the discovery, Google was notified, and all identified extensions have been removed from the Chrome Web Store.
However, users must manually uninstall these extensions as removal from the store does not trigger automatic uninstalls.
Recommendations for individuals include being cautious with extension permissions and regularly reviewing installed extensions.
Organizations are advised to implement application controls restricting extension installations and monitor for changes in extension permissions or ownership.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
