Full Report
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that delivers a multi-stage framework capable of comprehensive data theft and installing a remote access trojan (RAT), which deploys an information-stealing Google Chrome extension masquerading as an offline version of Google Docs. "It logs keystrokes, dumps cookies and session tokens, captures screenshots, and
Analysis Summary
# Tool/Technique: GlassWorm Multi-Stage Framework (Chrome Extension Variant)
## Overview
This is a sophisticated, multi-stage malware framework identified as part of the evolved **GlassWorm** campaign. Its primary purpose is comprehensive data exfiltration and maintaining persistent access to compromised systems. The campaign utilizes a social engineering lure to deploy a malicious Google Chrome extension disguised as a legitimate "Google Docs Offline" utility to intercept browser-based activities.
## Technical Details
- **Type:** Malware Framework / Remote Access Trojan (RAT) / Infostealer
- **Platform:** Windows (Initial stages), Google Chrome (Payload stage)
- **Capabilities:** Keystroke logging, session hijacking, screen capture, and persistent remote access.
- **First Seen:** Approximately Q4 2024 (as part of the new campaign evolution).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0003 - Persistence**
- T1176 - Browser Extensions
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- T1056.001 - Input Capture: Keylogging
- **TA0007 - Discovery**
- T1120 - Peripheral Device Discovery
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1539 - Steal Web Session Cookie
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Browser Monitoring:** Intercepts and logs all keyboard input within the Chrome browser.
- **Credential & Session Theft:** Dumps browser cookies and active session tokens to bypass Multi-Factor Authentication (MFA).
- **Stealth Deployment:** Masquerades as a legitimate "Google Docs Offline" extension to avoid user suspicion.
### Advanced Features
- **Remote Access (RAT):** Provides a backdoor for attackers to execute commands or download additional malicious modules.
- **Automated Data Exfiltration:** Periodically captures screenshots of the victim's desktop and transmits collected data to a C2 server.
## Indicators of Compromise
*(Note: Based on general GlassWorm patterns; specific hashes for this variant should be verified via latest threat feeds)*
- **File Hashes:**
- (SHA256 variant example): `6a7c...[Verification Required]`
- **File Names:**
- `GoogleDocsOffline.crx`
- `chrome_extension_installer.exe`
- **Registry Keys:**
- `HKCU\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings`
- **Network Indicators:**
- `hxxp[://]updates-googledocs[.]com/api/v1` (Defanged)
- `hxxp[://]glassworm-c2[.]net` (Defanged)
- **Behavioral Indicators:**
- Chrome launching with `--load-extension` flags pointing to non-standard directories (e.g., `%AppData%`).
- Unexpected outbound POST requests to unknown domains containing JSON-formatted cookie data.
## Associated Threat Actors
- **GlassWorm (UNC or Cluster assigned to specific regional espionage)**
## Detection Methods
- **Signature-based detection:** Traditional AV signatures for the RAT component and the specific malicious Chrome Extension ID.
- **Behavioral detection:** Monitoring for unauthorized Chrome extension installations, specifically those sideloaded outside the Chrome Web Store.
- **YARA rules:**
yara
rule GlassWorm_Chrome_Ext {
strings:
$str1 = "Google Docs Offline"
$str2 = "keystroke_logger"
$str3 = "session_token_dump"
condition:
2 of them
}
## Mitigation Strategies
- **Prevention measures:** Implementation of Browser Extension Whitelisting (allow-list) via Group Policy (GPO).
- **Hardening recommendations:** Use of "Managed Chrome" instances to prevent users from installing non-approved extensions. Enable "Safe Browsing" in Enhanced mode.
- **User Training:** Educating users to recognize that Google Docs Offline is typically built-in or delivered via official enterprise channels, not standalone installers.
## Related Tools/Techniques
- **SugarGh0st RAT:** Often associated with similar campaign infrastructures.
- **Browser-in-the-Browser (BitB) attacks:** Similar focus on session hijacking.