Full Report
Almost a dozen malicious extensions with 1.7 million downloads in Google's Chrome Web Store could track users, steal browser activity, and redirect to potentially unsafe web addresses. [...]
Analysis Summary
# Tool/Technique: Malicious Chrome/Edge Extensions (Browser Hijacking Operation)
## Overview
An operation involving malicious extensions discovered on the official Chrome Web Store (and also found on the Microsoft Edge store) designed to hijack user browsers. These extensions, initially appearing legitimate (some having been safe for years), were updated to include malicious code, leading to widespread infection affecting millions of users across both browsers.
## Technical Details
- Type: Malware Distributed via Legitimate Channels (Browser Extensions)
- Platform: Google Chrome, Microsoft Edge (Web Browsers)
- Capabilities: Browser hijacking, data tracking, silent updates introducing malicious code, potential for redirections.
- First Seen: Not explicitly stated, but malicious code was introduced later via updates to previously existing, potentially benign, extensions.
## MITRE ATT&CK Mapping
Based on the observed behavior (browser modification, unauthorized changes, data collection), the primary mappings revolve around execution and persistence within the browser environment.
- **TA0005 - Defense Evasion**
- T1216 - Drive-by Compromise (If users were prompted to install/update unintentionally)
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Indirectly, through store vetting bypassing)
- **TA0003 - Persistence**
- T1490 - Inhibit System Recovery (If extensions disable user removal features, though not explicitly confirmed)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by the operation's purpose)
*(Note: Specific T-numbers for extension manipulation are less defined in core ATT&CK; the focus is on the delivery and effect.)*
## Functionality
### Core Capabilities
- **Initial Presence:** Distributed via official browser extension stores (Chrome Web Store, Microsoft Edge Add-ons).
- **Malicious Update Delivery:** The malicious code was introduced after the initial publication, leveraging the built-in auto-update mechanism of the browsers to silently deploy new versions without requiring user approval.
- **Browser Hijacking:** The primary goal involves manipulating the browser environment (implied by the term "browser hijacking operation").
### Advanced Features
- **Bypassing Trust:** Utilizing trusted distribution channels (official stores) and exploiting years of benign operation by some extensions to build user trust before deploying harmful updates.
- **Large-Scale Deployment:** Combined usage across Chrome and Edge extensions achieved infections exceeding 2.3 million users.
## Indicators of Compromise
Since the article does not list specific extension names, hashes, or C2 infrastructure:
- File Hashes: [Not Available]
- File Names: [Not Available (Specific extension names were not listed in the provided text)]
- Registry Keys: [Not Applicable to extension infection, though browser profile data might be altered]
- Network Indicators: [Not Available (Koi Security testing did not observe malicious redirections, but network activity for communication is implied)]
- Behavioral Indicators: Unauthorized modification of browser settings; silent updates affecting established extensions; execution of JavaScript hooks within the browser context.
## Associated Threat Actors
- Unnamed cybercriminals who compromised existing, potentially benign, extensions.
- Koi Security researchers who discovered and analyzed the operation.
## Detection Methods
- Signature-based detection: Detecting known malicious extension identifiers or specific malicious code payloads within extension files (if identified).
- Behavioral detection: Monitoring browser processes for unexpected script execution or unauthorized changes to browsing configuration initiated by extensions.
- YARA rules: Not specified.
## Mitigation Strategies
- **Immediate Removal:** Users are strongly recommended to remove all potentially affected extensions immediately.
- **Data Cleaning:** Clear browsing data (cache, cookies, tracking identifiers).
- **System Checks:** Scan the system for general malware, as extensions can be an entry point.
- **Post-Infection Monitoring:** Monitor accounts for suspicious activity.
- **Policy Enforcement:** Organizations should vet and restrict the installation of unapproved browser extensions.
## Related Tools/Techniques
- Browser Add-on Malware (General category)
- Stealthy updates/patching mechanisms used for malware delivery.
- Supply Chain compromise targeting software repositories (in this case, extension stores).