Full Report
Cybersecurity researchers have discovered a network of 152 Google Chrome extensions that act as new tab live wallpaper add-ons to distribute a potentially unwanted program (PUP) family. The cluster spans 38 separate Chrome Web Store publisher accounts and three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. They have been collectively installed 105,000 times. The
Analysis Summary
# Tool/Technique: Chrome Live Wallpaper PUP Extensions
## Overview
This threat involves a coordinated network of 152 malicious Google Chrome extensions disguised as "Live Wallpaper" add-ons. Their primary purpose is to infiltrate the browser environment to distribute Potentially Unwanted Programs (PUPs) and likely engage in search hijacking or unauthorized data collection. The campaign demonstrates significant infrastructure scaling, utilizing 38 distinct publisher accounts to bypass store moderation and maintain persistence.
## Technical Details
- **Type:** Malware Family / Potentially Unwanted Program (PUP)
- **Platform:** Web Browsers (Google Chrome / Chromium-based)
- **Capabilities:** New Tab hijacking, Extension-based persistence, Redirects, Ad-delivery.
- **First Seen:** Discovery reported in late 2023/early 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (via Chrome Web Store listings)
- **TA0003 - Persistence**
- T1176 - Browser Extensions
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Overriding default browser behavior)
- **TA0011 - Command and Control**
- T1071.001 - Web Service: Application Layer Protocol (C2 via backend brand domains)
## Functionality
### Core Capabilities
- **New Tab Hijacking:** Replaces the user's default "New Tab" page with a custom interface controlled by the attacker.
- **Social Engineering:** Uses "Live Wallpaper" and "Gaming" lures to entice users into installation.
- **Infrastructure Decentralization:** Utilizes a large volume of developer accounts (38) to ensure that if one extension is flagged, the rest of the network remains operational.
### Advanced Features
- **Backend Communication:** Extensions connect to specific brand backends for configuration updates and content delivery.
- **Cross-Brand Synergy:** Uses three distinct "brands" (Tabplugins, Yowgames, Chromewallpaper) to target different user demographics.
## Indicators of Compromise
- **Network Indicators:**
- tabplugins[.]com
- yowgames[.]com
- chromewallpaper[.]com
- **Behavioral Indicators:**
- Modification of the Chrome `preferences` file related to `new_tab_url`.
- Excessive requests to the aforementioned domains upon opening new tabs.
- Presence of unrecognized extensions with "Live Wallpaper" or "4K Background" in the name.
## Associated Threat Actors
- **Unknown Branded PUP Operators:** While no specific named APT is linked, the group manages a sophisticated distribution network focused on monetization through PUPs.
## Detection Methods
- **Signature-based detection:** Monitoring for the specific extension IDs and backend domain strings.
- **Behavioral detection:**
- Monitoring for unauthorized changes to the browser's New Tab page settings.
- Detecting non-standard Chrome Web Store developer accounts with high-volume, low-quality uploads.
- **Manual Audit:** Regularly checking `chrome://extensions` for tools not explicitly installed by the user.
## Mitigation Strategies
- **Prevention measures:**
- Implement **Extension Install Allow-lists** or **Block-lists** via Group Policy (GPO).
- Educate users on the risks of third-party "customization" extensions.
- **Hardening recommendations:**
- Use Google Chrome's "Enhanced Protection" mode.
- Force-uninstall extensions associated with the identified backend domains via endpoint management software.
## Related Tools/Techniques
- **Search Hijackers:** Similar browser-based PUPs that redirect search queries to affiliate-monetized engines.
- **Adware:** Tools designed to inject advertisements into the browsing experience.
- **Malicious Chrome Extensions:** General category of threats leveraging the Chrome Web Store for distribution.