Full Report
A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. [...]
Analysis Summary
# Tool/Technique: Malicious Chrome Extensions Spoofing Password Managers
## Overview
This refers to a specific attack methodology involving malicious Google Chrome extensions designed to impersonate legitimate, trusted extensions, specifically password managers like 1Password, in order to steal user credentials via sophisticated phishing.
## Technical Details
- Type: Technique (Leveraging custom malicious browser extensions)
- Platform: Google Chrome (and potentially other Chromium-based browsers)
- Capabilities: Extension hijacking, UI spoofing, credential harvesting, stealthy re-disguising.
- First Seen: Recent/Ongoing (Based on the context of the research by SquareX).
## MITRE ATT&CK Mapping
While not a specific tool with pre-defined TIDs, the actions map to several relevant techniques:
- **TA0001 - Initial Access / TA0006 - Credential Access**
- T1204.002 - User Execution: Malicious File (Distribution often relies on users installing a malicious extension)
- T1184 - Compromise Software Supply Chain (If the extension is installed via a trusted source like the Chrome Web Store)
- **TA0003 - Persistence**
- T1078.004 - Valid Accounts: Cloud Accounts (The ultimate goal is credential theft for cloud/managed accounts)
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal: Artifact Deletion (The extension reverts to original state)
- T1564.003 - Hide Artifacts: Replace Existing Content (Impersonating the legitimate extension's UI/icon)
## Functionality
### Core Capabilities
* **Initial Payload Delivery:** Malicious extension is installed, often disguised as a legitimate utility or having broad permissions requested during installation.
* **Target Identification:** Checks for the presence of specific target extensions (e.g., 1Password) via the `chrome.management` API or by attempting to inject resources onto visited websites.
* **Impersonation:** If the target is found, the malicious extension morphs:
* Disables the legitimate extension (if `chrome.management` API is permitted).
* Changes its own icon and name to precisely match the legitimate password manager.
### Advanced Features
* **Stealthy Redirection:** If API permissions are lacking, file or URL resource injection is used to confirm the presence of the target extension.
* **UI Spoofing:** Displays fake login/session prompts (e.g., "Session Expired") that perfectly mimic the legitimate password manager's pop-up window.
* **Credential Phishing:** Captures credentials entered into the fake prompt and sends them to the attacker-controlled server.
* **Cover-up:** After data exfiltration, the malicious extension disables the impersonation, reverts to its original appearance, and re-enables the legitimate extension, leaving minimal trace of foul play.
## Indicators of Compromise
*Indicator details are limited as this describes a technique, not a specific, named malware sample.*
- File Hashes: N/A (Relies on the specific malicious extension published)
- File Names: N/A (Relies on the specific malicious extension published)
- Registry Keys: N/A (Browser-specific storage is used)
- Network Indicators: Attacker-controlled servers used to receive harvested credentials and potentially issue commands for morphing. (Specific domains/IPs not provided in the context).
- Behavioral Indicators: Abrupt, unauthorized changes to browser extension icons/names; frequent calls to `chrome.management` API; rendering of phishing content disguised as password manager alerts or login prompts.
## Associated Threat Actors
The context points to security researchers (SquareX) uncovering this technique, not a specific named threat group using it widely at the time of documentation.
## Detection Methods
- Signature-based detection: Limited, unless Google hashes known malicious versions.
- Behavioral detection: Crucial for detecting rapid icon/name changes, API calls to `chrome.management` without user interaction justification, and the rendering of phishing modals overlapping legitimate login flows.
- YARA rules: N/A
## Mitigation Strategies
* **Google/Platform Level:** Implement defenses to block abrupt extension icon/HTML changes or mandate user notification/re-authentication when these cosmetic/functional changes occur. Re-evaluate the risk level of the `chrome.management` API.
* **User Level:** Be highly skeptical of unexpected "Session Expired" prompts requiring re-entry of master passwords. Users should manually verify the extension's identity in the extension manager if suspicious activity occurs (though the attack specifically hides this).
## Related Tools/Techniques
* Browser-based phishing kits that rely on UI/UX manipulation.
* Other malicious Chrome extensions known for credential theft or session hijacking.