Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities.
Independent security researcher Jamila Kaya and Cisco’s Duo Labs originally identified a network of 70 copycat plugins with 1.7 million users that were infecting users’ browsers and exfiltrating data. Further investigation led to the identification of more than 500 such extensions.
The applications were marketed as offering advertising as a service, but the developers obfuscated the functionality from users to connect the infected browsers to a command and control (C&C), exfiltrate users’ private browsing data, and evade the Chrome Web Store’s fraud detection.
The threat actor behind these extensions has been using the same infrastructure for at least one or two years, Cisco’s Duo Labs security researchers say. The plugins had nearly identical source code (only names of the functions differ), had no ratings, and each referenced to a “.com.” website that was the exact name of the plugin.
Each of these extensions requires a high, nearly identical level of permissions, which allows them to access a large amount of data in the browser. The plugins also contacted identical external sites (except for the “front” sites) and employed sandbox evasion.
Once installed, the plugins attempt to contact the site referenced by their names on regular intervals, to receive instruction as to whether to uninstall or not. Next, they contact a C&C server to check regularly for instructions, information on where to upload data, and new domain and feed lists for advertisements and future redirects.
After receiving the new instructions, the plugins upload requested data, update their configuration, and get sent through a redirection stream.
Data is uploaded to data<.>multitext<.>com, a data exchange domain. Sent information includes usage, time, idle activity, tracking, and browser activity and statistics, without consent.
Redirection streams are employed for performing the malicious activity and ad fraud. While many of the ad streams are benign, over two thirds of redirects lead to malicious sites that serve either malware or phishing.
Kaya also identified direct malware tied to these plugin sites, likely operating for the same user. The security researchers also identified malware tied to the Arcadeyum site and redirector domains.
“This tie-in, as well as the plugin proliferation, suggests that potentially this actor has been operating for a while and has continued to grow while avoiding detection,” Duo Labs notes.
The investigation suggests that the actor had been active for at least eight months, since January 2019, with a peak in activity between March and June 2019, when dozens of new variant plugins were released and new domains registered monthly.
However, some malware and domains associated with the traffic were registered in 2018 and 2017. The instruction domains were registered in June 2017, and Duo Labs believes the activity might have originated there.
“Multiple portions of the architecture to support this plugin network were created on the same day or month, with new components, such as redirector domains, released in chunks,” the researchers say.
Related: New Service From Cisco’s Duo Labs Analyzes Chrome Extensions