A recent cybersecurity threat has emerged involving a cluster of malicious Chrome extensions that have compromised at least 3.2 million users.
These extensions, which include functionalities such as screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud.
The threat actor behind this campaign is believed to have acquired access to some of the extensions from their original developers rather than through a compromise, and has been trojanizing extensions since at least July 2024.
The Attack Chain and Impact
The malicious extensions employ a complex multistage attack to degrade browser security and inject content, bypassing security boundaries.
They use service worker functionality to check in with unique configuration servers, transmitting extension versions and hardcoded IDs.
According to GitLab, this allows for dynamic behavior, as the extensions can fetch and execute scripts from remote servers.
The threat actor has been updating their injection scripts over time, making detection challenging.
The extensions also strip Content Security Policy (CSP) protections, which are crucial for preventing Cross-Site Scripting attacks.
The malicious code injected by these extensions can modify network request filtering rules, manipulate search engine results, and block tracking services.
Additionally, they can inject iframes with remote content, particularly targeting Amazon product pages in certain European locales.
This campaign poses a significant risk of sensitive information leakage and initial access for further malicious activities.
Attribution and Recommendations
The threat actor’s sophisticated approach, involving the abuse of trusted software distributors like the Chrome Web Store, highlights the risks associated with automatic updates and extension permissions.
It is recommended that users and organizations review extension permissions, restrict unnecessary installations, and monitor for changes in ownership or permissions.
Users should also be cautious when granting extensive permissions to extensions and regularly remove unused ones to reduce exposure to malicious updates.
The malicious extensions have been removed from the Chrome Web Store following notification, but manual uninstallation is required to fully mitigate the threat.
This incident underscores the importance of vigilance in the browser extension ecosystem and the need for robust security measures to protect against such threats.
