Full Report
Browser extensions can be really useful, but hidden dangers may lurk beyond their marketing.
Analysis Summary
# Main Topic
Malicious browser extensions lurking in the Google Chrome Web Store that compromise user security through undisclosed capabilities such as clipboard access manipulation, data exfiltration, and maintenance of Command-and-Control (C&C) infrastructure. These extensions bypass vetting processes, affecting users with combined installations exceeding 100,000.
## Key Points
- Malicious extensions exhibit deceptive behavior, contrasting their advertised functionality with hidden, risky operations.
- **Good Tab** grants full and insecure HTTP clipboard read/write permissions to a remote third party, enabling adversary-in-the-middle (AiTM) attacks and clipboard switching (e.g., cryptocurrency wallet address replacement).
- **Children Protection** implements a full C&C framework, harvests and exfiltrates user cookies (risking session hijacking), and utilizes a Domain Generation Algorithm (DGA) for resilient communications.
- Some extensions also include ad injection functionality for revenue generation.
- Insecure clipboard delegation via HTTP endpoints makes transmitted data vulnerable to interception.
## Threat Actors
- Threat actors are utilizing legitimate-looking extensions to host malicious functionality.
- Specific actor attribution is not provided, but TTPs (like DGA) are characteristic of advanced malware operations.
## TTPs
- **Clipboard Access Compromise:** Granting remote domains clipboard read/write access via insecure HTTP channels.
- **Data Exfiltration:** Harvesting browser cookies and sending them to remote servers.
- **Command and Control (C&C):** Establishing persistent communication channels; using Domain Generation Algorithms (DGA) to maintain communication resilience when primary C&C domains fail.
- **Obfuscation:** Employing file splitting and string chunking to hide malicious code from static analysis.
- **Ad Injection:** Inserting unauthorized advertisements for revenue.
## Affected Systems
- Google Chrome browser users installing the identified malicious extensions.
- **Affected Platforms:** The Chrome browser environment, potentially exposing sensitive data copied to the clipboard (passwords, keys, tokens).
## Mitigations
- Immediately uninstall the reported malicious extensions.
- Employ trusted endpoint security solutions (e.g., Symantec Endpoint Security) to check for signs of compromise.
- Practice caution when installing extensions: only use reputable sources, verify developer profiles/websites, and check reviews for warning signs.
- Utilize browser protection solutions (e.g., Symantec Browser Protection) to block malicious activity originating from web-borne threats.
- Report identified malicious extensions to Google immediately.
## Conclusion
The security landscape of browser extensions requires heightened user vigilance. Functionality exceeding advertised features, particularly involving clipboard access or reliance on external C&C infrastructure, signals immediate risk. Immediate removal of compromised extensions and adoption of layered browser protection are strongly advised.
## Indicators of Compromise (IoCs)
| Extension Name | Extension ID | Associated IOC | Purpose |
| :--- | :--- | :--- | :--- |
| Good Tab | glckmpfajbjppappjlnhhlofhdhlcgaj | hxxp://api[.]office123456[.]com/vcx/ | Clipboard access endpoint |
| Children Protection | giecgobdmgdamgffeoankaipjkdjbfep | hxxps://codon[.]vn/ext/xmshield[.]json | Primary C&C server |
| Children Protection | giecgobdmgdamgffeoankaipjkdjbfep | hxxp://*[^.]*[.]live/*.json (DGA pattern) | Fallback C&C domains |
| DPS Websafe | bjoddpbfndnpeohkmpbjfhcppkhgobcg | hxxp://www[.]dpswebsafe[.]com/rd/ | Search hijacking |
| DPS Websafe | bjoddpbfndnpeohkmpbjfhcppkhgobcg | hxxp://trk[.]entiretrack[.]com/ | User tracking |
| Stock Informer | beifiidafjobphnbhbbgmgnndjolfcho | hxxp://searchingpart[.]com | Search monetization |