Analysis Summary

An unknown threat actor has been distributing malicious Chrome browser extensions since February 2024, disguising them as legitimate utilities such as productivity tools, ad/media creation platforms, VPNs, crypto apps, and banking services. These extensions are hosted on both deceptive websites and the official Chrome Web Store (CWS), enabling them to appear in standard search results and within the CWS itself, making them seem credible to unsuspecting users.

According to Researchers, while these extensions offer expected functionalities, they secretly exfiltrate data, steal cookies and credentials, hijack sessions, manipulate web traffic, inject ads, and redirect users to phishing pages. The extensions exploit excessive permissions defined in the manifest.json file, allowing them to interact with all visited sites, execute attacker-controlled scripts, and route traffic via WebSocket proxies.

The malware also uses a technique involving the onreset event handler on temporary DOM elements to bypass content security policy (CSP) restrictions and execute arbitrary code. Over 100 fake websites have been linked to the campaign, some impersonating well-known platforms like DeepSeek, Manus, DeBank, FortiVPN, and Site Stats.

While the precise method for directing users to these sites remains unclear, researchers suspects common social engineering methods, including phishing, social media, Facebook ads, and Facebook groups or pages, are involved. Notably, some lure websites contained Facebook tracking IDs, further indicating Meta platform usage in the campaign.

Google has since removed the identified malicious extensions. However, researchers warn that due to rating manipulation tactics, such as redirecting low-star reviewers to private feedback forms and only allowing high ratings on the Chrome Web Store, users must be vigilant. Users are advised to download extensions only from verified developers, carefully review permissions, and avoid extensions that mimic legitimate brands or request excessive access.

Impact

• Credential Theft
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

Domain Name

• debank-extension.world
• debank.sbs
• debank.click
• earthvpn.top
• manusai.sbs
• youtube-vision.com
• crypto-whale.info
• deepseek-ai.link
• calendlydaily.world
• cryptowhalesvision.world
• creativehunter.world
• squirrel-wallet.world
• calendly-director.com
• ad-vision.top
• youtube-vision.world
• ad-vision.click
• forti-vpn.com
• lockads.org
• wobblefizz.top
• zingleflap.top
• floopdoodle.top
• wibblywob.top
• snickerdoodle.top
• wobbleguff.top
• sprocketwhirl.top
• jumblefizz.top
• quirkleblip.top
• twizzleflap.top
• fizzlepopcorn.top
• glimmerbloop.top
• noodlequack.top
• blurflewhack.top
• snogglewomp.top
• flibberwump.top
• digigtalneo.top
• digigtalwow.top
• spaceball.top
• iochange.top
• iohub.sbs
• infonet.sbs
• datazen.sbs
• infograph.top
• zorpleflux.top

Remediation

• Monitor browser extension installations across enterprise endpoints using EDR or browser telemetry tools.
• Flag and investigate extensions with excessive permissions in the manifest.json file.
• Block known malicious domains and lure websites associated with fake extensions using threat intel feeds.
• Create alerts for unusual WebSocket activity originating from browsers.
• Implement policies to restrict installation of Chrome extensions to only those from approved developers.
• Use DNS and firewall rules to prevent access to domains hosting or linked with malicious extension campaigns.
• Regularly review user browser extension lists and cross-check with threat intelligence sources.
• Integrate Chrome enterprise policies to limit or control extension permissions at the browser level.
• Scan for signs of credential theft or session hijacking in browser and proxy logs.
• Educate users to avoid installing browser extensions from untrusted or newly published sources.
• Leverage threat hunting to detect indicators of content security policy bypass attempts.
• Investigate abnormal ad injection behaviors or unexpected browser redirection incidents.
• Remove unauthorized or suspicious extensions during regular SOC triage and response activities.