Full Report
Cybereason Security Services recently analyzed an investigation into a broader malicious Chrome extension campaign, part of which had been previously documented by DomainTools. While earlier iterations of this campaign involved the impersonation a variety of services, the latest version shifts focus to Meta (Facebook/Instagram) advertisers through a newly crafted lure: “Madgicx Plus,” a fake AI-driven ad optimization platform. Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts. Notably, several domains associated with earlier parts of the campaign have been repurposed to promote this new theme, highlighting the operators’ tendency to recycle infrastructure while adapting their social engineering strategy to new targets.
Analysis Summary
# Tool/Technique: Malicious Chrome Extension Campaign (Lure: "Madgicx Plus")
## Overview
This refers to an ongoing, evolving malicious Chrome extension campaign that impersonates legitimate advertising optimization tools, specifically targeting Meta (Facebook/Instagram) advertisers. The latest iteration uses the lure "Madgicx Plus," a fake AI-driven ad optimization platform, to trick users into installing extensions capable of session hijacking, credential theft, and compromising Meta Business accounts. Threat actors are reusing infrastructure from previous phases of the campaign.
## Technical Details
- Type: Malware Family (Browser Extension/Malicious Software)
- Platform: Google Chrome (Browser/Extensions)
- Capabilities: Hijacking business sessions, stealing credentials, compromising Meta Business accounts, abusing brand impersonation.
- First Seen: Previous iterations documented by DomainTools; current variant recently analyzed by Cybereason.
## MITRE ATT&CK Mapping
Given the focus on session hijacking and credential theft via browser extensions:
- **TA0006 - Credential Access**
- **T1555 - Credentials from Password Stores** (If the extension attempts to scrape data from browser storage)
- **T1649 - Steal Application Access Token** (Explicitly targeting session tokens/business account access)
- **TA0011 - Command and Control** (Implied, as extensions typically communicate with infrastructure)
- **T1105 - Ingress Tool Transfer** (If further payloads are downloaded)
- **TA0003 - Persistence**
- **T1204.002 - User Execution: Malicious File** (User installs the extension)
## Functionality
### Core Capabilities
- **Impersonation & Social Engineering:** Masquerades as "Madgicx Plus," a legitimate-sounding AI ad optimization platform to appeal to Meta advertisers.
- **Session Hijacking:** Capable of taking over active business sessions related to Meta advertising platforms.
- **Credential Theft:** Designed to steal sensitive login data or authentication tokens associated with compromised accounts.
### Advanced Features
- **Infrastructure Reuse:** Threat actors demonstrate sophistication by repurposing domains previously associated with other, unrelated malicious extensions, indicating a mature, evolving operation rather than copycat attacks.
- **Broad Permission Abuse:** Extensions request broad permissions necessary to interact with the targeted web applications (Meta Business Suite/Ads Manager).
## Indicators of Compromise
The summary only provides network indicators (Lure Domains/Infrastructure).
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context; relies on the extension package name]
- Registry Keys: [Not applicable for basic browser extension artifacts, primarily confined to browser storage]
- Network Indicators:
- hxxps[:]//privacy-shield[.]world
- hxxps[:]//madgicxads[.]world
- hxxps[:]//madgicx-plus[.]com
- hxxps[:]//cookie-whitelist[.]com
- hxxps[:]//ad-guardian[.]world
- hxxps[:]//ad-seeker.world
- hxxps[:]//safesurf[.]world
- hxxps[:]//siteanalyzer[.]world
- hxxps[:]//webinsight[.]world
- hxxps[:]//www.orchid-vpn[.]com
- hxxps[:]//www.key-stat[.]com
- hxxps[:]//www.clonewebstat[.]com
- hxxps[:]//www.flight-radar[.]life
- hxxps[:]//www.calendly-daily[.]com
- hxxps[:]//www.web-radar[.]world
- hxxps[:]//www.similarweb[.]one
- hxxps[:]//www.webwatch[.]world
- Behavioral Indicators: Extension requests broad permissions; observed interaction with Meta/Facebook URLs; attempts to bypass web security controls.
## Associated Threat Actors
[The article does not name a specific threat actor group, but refers to "operators" demonstrating continuity and infrastructure reuse.]
## Detection Methods
- **Signature-based detection:** Unknown, but specific hashes of the extension package (`.crx`) or manifest files could be signatures.
- **Behavioral detection:** Monitoring for extensions that request excessive permissions, especially those allowing content insertion or remote code execution, or exhibiting unusual network traffic directed at newly observed domains.
- **YARA rules:** [Not specified in the context]
## Mitigation Strategies
- **Verify before installing:** Always check the extension’s publisher, permissions requested, and user feedback history.
- **Clean up unused extensions:** Remove dormant or unneeded extensions to reduce potential attack surface.
- **Disable when unnecessary:** Temporarily disable extensions not required for current tasks.
- **Separate browsing contexts:** Use dedicated Chrome profiles for different high-value activities (work, banking, personal use).
- **Inspect and report:** Advanced users should review extension code if suspicious behavior is suspected.
## Related Tools/Techniques
- Broader history of malicious Chrome extension campaigns previously documented by DomainTools.
- Campaigns impersonating legitimate advertising technology (AdTech) solutions.