Malicious Chrome extensions employed in a massive global surveillance campaign have been downloaded by millions before removal, Awake Security reveals.
The campaign, which impacted users across a large number of geographies and industry segments, exploited Internet domain registration and users’ reliance on browsers to spy on them and steal data en masse.
Awake’s investigation into this campaign revealed that the criminal activity has been abetted by Internet domain registrar CommuniGal Communication Ltd. (GalComm): 15,160 of the 26,079 reachable domains registered through GalComm are either malicious or suspicious.
Many of the 15,160 unique suspect or malicious domains identified as part of this campaign were hijacked: they were registered through GalComm immediately after they expired. Thus, the attackers could defeat detection mechanisms that look for brand new domains.
The attackers have put a lot of effort into keeping their activity hidden. Not only did they manage to bypass multiple layers of security controls within organizations, but also avoided having their domains labeled as malicious by most security solutions.
Over the past three months, Awake identified 111 malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages. The applications can engage in malicious activity such as taking screenshots, reading the clipboard, harvesting credential tokens, or logging user keystrokes, among others.
Seventy-nine extensions were found in the Chrome Web Store in May and Awake discovered that they gathered roughly 33 million downloads before their takedown. The security firm published TSV lists of IDs for these malicious Chrome extensions.
Awake’s security researchers discovered that the threat actor behind the activity managed to establish a persistent foothold in approximately 100 networks of organizations in the financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government sectors.
“These campaigns have been ongoing for years while customers have deployed best in class security solutions. The research shows how attackers attempted to evade detection, but the TTPs, in this case, appears to have hit a blind spot in many traditional approaches to security—e.g. reputation engines, sandboxes and endpoint detection and response solutions,” the researchers note.
To stay undetected, the attackers implemented a filtering method where only requests coming from a broadband, cable, fiber, mobile, or similar fixed-line Internet Service Provider (ISP) type of network were directed to malicious payloads, whereas those coming from data centers, web hosting services, transit networks, VPNs, or proxies would be redirected to a benign page.
The extensions appear benign at first, but the attackers likely pushed malicious payloads to them after the clean versions were approved. In some cases, users were tricked into installing the malicious extensions from professional-looking websites, others were downloaded by previously installed adware, while some were added multiple times to the Chrome Web Store, with only a few variations.
Some of the malicious extensions would completely bypass the Chrome Web Store, through a self-contained Chromium package included in other extensions, which tricks users into defaulting to a new rogue browser when prompted at first run. Unlike Chrome, this Chromium-based browser accepts extensions from any source, not only those in the Chrome Web Store.
“These rogue browsers appeared to have been installed by existing potentially unwanted programs (PUPs) already present on the victim system. This is very effective since the rogue browsers are self-contained, meaning other than the ability to just execute a program locally, very few other permissions are necessary,” Awake explains.