Full Report
A Google Chrome Web Store campaign uses over 100 malicious browser extensions that mimic legitimate tools, such as VPNs, AI assistants, and crypto utilities, to steal browser cookies and execute remote scripts secretly. [...]
Analysis Summary
# Tool/Technique: Data-Stealing Chrome Extensions (Impersonating Fortinet, YouTube, VPNs)
## Overview
Malicious Google Chrome extensions designed to impersonate legitimate productivity tools, such as those related to Fortinet, YouTube, or various VPN services. Their primary purpose is to steal user data, specifically browser cookies (including session tokens), perform phishing, and enable remote command execution within the user's browser session.
## Technical Details
- Type: Malware/Malicious Extension
- Platform: Google Chrome browser (potentially other Chromium-based browsers)
- Capabilities: Cookie theft (session tokens), DOM-based phishing, dynamic script injection, proxy functionality, network traffic modification.
- First Seen: Not specified in the article, but the campaign involves ongoing removal efforts by the Chrome Web Store.
## MITRE ATT&CK Mapping
The techniques observed center around data exfiltration and execution within the compromised browser environment.
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (Indirectly, through installation/prompt acceptance)
- T1059.001 - Command and Scripting Interpreter: PowerShell (If dynamic scripts executed are shell-based)
- **TA0007 - Credential Access**
- T1555.003 - Credentials from Web Browsers (Stealing cookies/session tokens)
- **TA0011 - Collection**
- T1119 - Automated Collection (Using scripts to gather data)
## Functionality
### Core Capabilities
- **Cookie Theft:** Using `chrome.cookies.getAll({})` to retrieve all active browser cookies, which are then compressed (using pako) and Base64 encoded for exfiltration.
- **Data Exfiltration:** Sending stolen cookies to a backend server (e.g., `infograph[.]top`).
- **Impersonation:** Masquerading as trusted applications (e.g., "fortivpn") to gain user trust and high-privilege permissions.
### Advanced Features
- **Proxy Functionality:** Establishing a WebSocket connection to act as a network proxy, routing user traffic through malicious remote servers commanded by the attacker. This includes support for proxy authentication handling.
- **Dynamic Script Injection:** Ability to run arbitrary JavaScript scripts obtained remotely from the command-and-control (C2) infrastructure.
- **Phishing:** Capable of performing DOM-based phishing attacks.
## Indicators of Compromise
*Note: Specific IOCs were limited in the provided text. The following are generalized based on the description.*
- File Hashes: [Not explicitly provided]
- File Names: [Extension names mimicking legitimate software, e.g., "fortivpn"]
- Registry Keys: [N/A - Browser Extension scope]
- Network Indicators:
- C2 Domain: `infograph[.]top` (defanged)
- Behavioral Indicators:
- Use of `chrome.cookies.getAll({})`.
- Outbound communication involving Base64 encoded, compressed data payload.
- Creation of WebSocket connections for proxy activity.
- Dynamic loading and execution of remote JavaScript code.
## Associated Threat Actors
The article refers to "the actor" responsible for distributing these extensions, though they are not named specifically. These actors are motivated by financial gain via credential harvesting and potential corporate network breaches via stolen session tokens.
## Detection Methods
- Signature-based detection: Monitoring for known malicious extension hashes or developer IDs once identified by Google/researchers.
- Behavioral detection: Monitoring for JavaScript executing unusual API calls like `chrome.cookies.getAll({})` or suspicious outbound network traffic patterns characteristic of cookie exfiltration.
- YARA rules: Applicable to the unpacked extension files if analyzed statically, focusing on string patterns related to C2 communication or cookie handling functions.
## Mitigation Strategies
- **Prevention:** Only install extensions from reputable publishers with a proven track record on the Chrome Web Store.
- **Review:** Thoroughly review user reviews and extension permissions before installation, looking for red flags.
- **Principle of Least Privilege:** Review and restrict the permissions granted to installed Chrome extensions.
- **Monitoring:** Monitor network traffic originating from browser processes for unauthorized data transmission related to cookies or proxy activity.
## Related Tools/Techniques
- Other malicious Chrome extensions found on the web store.
- Tools or malware that leverage session hijacking via stolen cookies.
- General malware using data exfiltration techniques (Compression/Base64 encoding).