Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Half Million Impacted by Four Malicious Chrome Extensions

Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.

Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.

The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns.

The malicious extensions were discovered after observing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG reveals. The HTTP traffic was associated with the domain ‘change-request[.]info’ and was generated from a Chrome extension named Change HTTP Request Header.

While the extension itself does not contain “any overtly malicious code,” the researchers discovered the combination of “two items of concern that” could result in the injection and execution of arbitrary JavaScript code via the extension.

Chrome can execute JavaScript code contained within JSON but, due to security concerns, extensions aren’t allowed to retrieve JSON from an external source, but need to explicitly request its use via the Content Security Policy (CSP).

When the permission is enabled, however, the extension can retrieve and process JSON from an externally-controlled server, which allows extension authors to inject and execute arbitrary JavaScript code when the update server receives a request.

What ICEBRG researchers discovered was that the Change HTTP Request Header extension could download obfuscated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The obfuscated code was observed checking for native Chrome debugging tools and halting the execution of the infected segment if such tools were detected.

After injection, the malicious JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

Advertisement. Scroll to continue reading.

“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC),” ICEBRG reports.

The capability, however, can also be used by the threat actor to browse internal sites of victim networks, thus effectively bypassing perimeter controls.

The security researchers also discovered that Change HTTP Request Header wasn’t the only Chrome extension designed to work in this manner. Nyoogle – Custom Logo for Google, Lite Bookmarks, and Stickies – Chrome’s Post-it Notes show similar tactics, techniques, and procedures (TTPs) and feature the same command and control (C&C).

The Stickies extension was also observed using a different code injection pathway, but injecting JavaScript code nearly identical to that of other malicious extensions. It appears that the extension has a history of malicious behavior, as it was observed in early 2017 to be using the new code injection technique following an update.

“The inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks,” ICEBRG notes.

Considering the total installed user base of these malicious Chrome extensions, the malicious actor behind them has a substantial pool of resources to use for financial gain. Google, the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and customers who were directly impacted have been alerted on the issue.

 Related: Hijacked Extensions Put 4.7 Million Chrome Users at Risk

Related: Unpatched Vulnerabilities Impact Popular Browser Extension Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.