Full Report
Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. "The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account
Analysis Summary
# Tool/Technique: Malicious Chrome Extensions Impersonating HR/ERP Tools (Workday, NetSuite, SuccessFactors)
## Overview
A cluster of five malicious Google Chrome browser extensions designed to masquerade as productivity tools offering access to HR/ERP platforms (Workday, NetSuite, SuccessFactors). Their primary purpose is to steal user authentication tokens, block incident response and administrative functions within the legitimate applications, and achieve complete account takeover via session hijacking.
## Technical Details
- Type: Malware (Browser Extensions)
- Platform: Google Chrome (Browser)
- Capabilities: Token/Cookie theft, DOM manipulation to block security pages, Session hijacking via cookie injection, Evasion (disabling developer tools observation).
- First Seen: At least one variant (DataByCloud 1 and DataByCloud 2) published August 18, 2021.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1204.002 - User Execution: Malicious File (Though delivered via extension store/third-party site, relies on user installation)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Disabling DevTools)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Stealing cookies)
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- **TA0003 - Persistence**
- T1594.007 - Input/Output: Browser Session Hijacking
## Functionality
### Core Capabilities
- **Authentication Token Theft:** All extensions collect authentication cookies/tokens for specified domains (Workday, NetSuite, SuccessFactors) and exfiltrate them to a remote server.
- **Session Hijacking:** The most sophisticated extension (Software Access) receives stolen cookies from the C2 and injects them directly into the victim's browser session to facilitate immediate account takeover.
- **Infrastructure C2:** Communication occurs over HTTPS, with traffic encrypted (C2 traffic encrypted).
### Advanced Features
- **Incident Response Blocking (DOM Manipulation):** Extensions like Tool Access 11 and Data By Cloud 2 actively manipulate the Document Object Model (DOM) of administrative pages within the target ERPs. This involves erasing page content or redirecting to malformed URLs, specifically targeting functions related to security configuration, IP management, session control, password changes, and 2FA device management.
- **Persistence/Evasion via Library Use:** Data By Cloud 1 incorporates the open-source `DisableDevtool` library to prevent users/security teams from inspecting the extension's code using browser developer tools.
- **Anti-Inspection:** Software Access includes protection for password input fields, preventing user inspection of credentials being typed.
- **Targeting Sandbox:** Data By Cloud 2 specifically targets the Workday sandbox environment (`workdaysuv[.]com`).
- **Coordinated Operation:** The campaign exhibits identical functionality and infrastructure patterns across different publishers, suggesting a coordinated threat operation.
- **Detection of Security Tools:** The extensions collectively monitor for the presence of 23 known security-related Chrome extensions (e.g., EditThisCookie, Cookie-Editor, ModHeader), likely to flag their presence to the attackers or alter behavior.
## Indicators of Compromise
- **File Hashes:** Not provided in the context.
- **File Names:** The extensions themselves are the artifacts, identified by their names and IDs:
- DataByCloud Access (ID: oldhjammhkghhahhhdcifmmlefibciph)
- Tool Access 11 (ID: ijapakghdgckgblfgjobhcfglebbkebf)
- DataByCloud 1 (ID: mbjjeombjeklkbndcjgmfcdhfbjngcam)
- DataByCloud 2 (ID: makdmacamkifdldldlelollkkjnoiedg)
- Software Access (ID: bmodapcihjhklpogdpblefpepjolaoij)
- **Registry Keys:** Not applicable to browser extensions within this context, though Chrome extension data is stored in the user profile.
- **Network Indicators:**
- C2 Domain 1: `api.databycloud[.]com` (Used for cookie exfiltration)
- C2 Domain 2: `api.software-access[.]com` (Used for receiving and injecting cookies for session hijacking)
- **Behavioral Indicators:**
- Hourly (every 60 seconds) transmission of cookies to the C2 server.
- Real-time DOM manipulation of specific administrative URLs based on monitored page titles.
- Attempting to load or utilize the `DisableDevtool` library logic.
## Associated Threat Actors
- Information not explicitly provided, but the operation appears coordinated under the publishers "databycloud1104" and "Software Access." Research attributes this to a sophisticated criminal operation targeting enterprise SSO/ERP usage.
## Detection Methods
- **Signature-based detection:** Identify the specific package IDs or extension names/publishers if they are still visible in the Chrome Web Store manifest.
- **Behavioral detection:** Monitor network activity for unusual traffic patterns (e.g., cookie transmission every 60 seconds) targeting the listed C2 domains. Detect JavaScript code attempting to clear inputs or redirect page content upon loading specific Workday/NetSuite admin URLs.
- **YARA rules:** YARA rules could be written to detect the presence of the `DisableDevtool` library code signature within the extension's injected scripts.
## Mitigation Strategies
- **Prevention:** Do not install browser extensions from untrusted third-party sites or those making excessive permission requests (e.g., requesting modification/reading of cookies across major enterprise domains).
- **Hardening recommendations:**
- Restrict the installation of browser extensions to approved lists via organizational policies (e.g., using Group Policy or MDM solutions).
- Regularly audit installed extensions for unnecessary permissions (especially broad cookie/scripting access on sensitive domains).
- Employ Content Security Policy (CSP) measures where possible to restrict DOM manipulation.
- Utilize browser monitoring capabilities to detect attempted disabling of developer tools.
## Related Tools/Techniques
- **Session Hijacking Tools:** General browser extensions designed for cookie inspection/editing (e.g., EditThisCookie, Cookie-Editor) are being weaponized or monitored by this attacker infrastructure.
- **DOM Manipulation Libraries:** Use of evasion techniques similar to those found in legitimate tools but repurposed for malicious blocking actions.