Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Tens of Malicious Chrome Extensions Used in Global Surveillance Campaign

Malicious Chrome extensions employed in a massive global surveillance campaign have been downloaded by millions before removal, Awake Security reveals.

Malicious Chrome extensions employed in a massive global surveillance campaign have been downloaded by millions before removal, Awake Security reveals.

The campaign, which impacted users across a large number of geographies and industry segments, exploited Internet domain registration and users’ reliance on browsers to spy on them and steal data en masse.

Awake’s investigation into this campaign revealed that the criminal activity has been abetted by Internet domain registrar CommuniGal Communication Ltd. (GalComm): 15,160 of the 26,079 reachable domains registered through GalComm are either malicious or suspicious.

Many of the 15,160 unique suspect or malicious domains identified as part of this campaign were hijacked: they were registered through GalComm immediately after they expired. Thus, the attackers could defeat detection mechanisms that look for brand new domains.

The attackers have put a lot of effort into keeping their activity hidden. Not only did they manage to bypass multiple layers of security controls within organizations, but also avoided having their domains labeled as malicious by most security solutions.

Over the past three months, Awake identified 111 malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages. The applications can engage in malicious activity such as taking screenshots, reading the clipboard, harvesting credential tokens, or logging user keystrokes, among others.

Seventy-nine extensions were found in the Chrome Web Store in May and Awake discovered that they gathered roughly 33 million downloads before their takedown. The security firm published TSV lists of IDs for these malicious Chrome extensions.

Awake’s security researchers discovered that the threat actor behind the activity managed to establish a persistent foothold in approximately 100 networks of organizations in the financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government sectors.

Advertisement. Scroll to continue reading.

“These campaigns have been ongoing for years while customers have deployed best in class security solutions. The research shows how attackers attempted to evade detection, but the TTPs, in this case, appears to have hit a blind spot in many traditional approaches to security—e.g. reputation engines, sandboxes and endpoint detection and response solutions,” the researchers note.

To stay undetected, the attackers implemented a filtering method where only requests coming from a broadband, cable, fiber, mobile, or similar fixed-line Internet Service Provider (ISP) type of network were directed to malicious payloads, whereas those coming from data centers, web hosting services, transit networks, VPNs, or proxies would be redirected to a benign page.

The extensions appear benign at first, but the attackers likely pushed malicious payloads to them after the clean versions were approved. In some cases, users were tricked into installing the malicious extensions from professional-looking websites, others were downloaded by previously installed adware, while some were added multiple times to the Chrome Web Store, with only a few variations.

Some of the malicious extensions would completely bypass the Chrome Web Store, through a self-contained Chromium package included in other extensions, which tricks users into defaulting to a new rogue browser when prompted at first run. Unlike Chrome, this Chromium-based browser accepts extensions from any source, not only those in the Chrome Web Store.

“These rogue browsers appeared to have been installed by existing potentially unwanted programs (PUPs) already present on the victim system. This is very effective since the rogue browsers are self-contained, meaning other than the ability to just execute a program locally, very few other permissions are necessary,” Awake explains.

Related: Google Steps Up Fight on Spam in Chrome Web Store

Related: Google Axes 500 Chrome Extensions Exfiltrating User Data

Related: Google Halts Publishing of Paid Chrome Extensions Due to Fraud

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.