About 20,000 people have had their data stolen by a single hacking group that weaponized 108 Chrome Extensions in a numbers game.
Discovered by Socket, a security research organization, these Chrome extensions masqueraded as everyday utilities while reporting to the same Command and Control (C2) server. On the surface, they appeared to be legitimate tools. But under the hood, the researchers found that these tools stole users’ data and injected malicious code into their browsing sessions.
At the time of reporting, all 108 extensions are live on the Chrome Web Store. To keep users safe, researchers at Socket have submitted their findings to Google, along with the 108 extensions they detected. Users are advised to take precautionary measures when installing Chrome extensions.
Google and Telegram users are more at risk
Just as apps are published under unique publishers, Chrome extensions follow the same method, and this operator split all 108 malicious extensions into five unique publishers, namely:
- Yana Project
- GameGen
- SideGames
- Rodeo Games
- InterAlt
The research team found that each extension is further divided into different roles based on its function. Half of the extensions (54) abuse OAuth flows to target and steal Google account identities. 45 others carry a universal backdoor that grants the attacker access to any URL on the victim’s browser.
The remaining extensions are used to carry out the following malicious behaviors:
- Exfiltrate Telegram Web sessions every 15 seconds
- Strip YouTube and TikTok security headers to inject ads into users’ content
- Redirects all web translation requests through the attacker’s C2 server
- Inject content scripts into every page the user visits
- Allows the attacker to steal Telegram session IDs, leading to Telegram account takeover, though this is yet to be activated
While one of the extensions is used to inject attacker-controlled ads into YouTube, the research did not say if such would also affect YouTube Premium subscribers.
An overview of how the attack works
At the center of this attack is one simple idea: scale.
By making the extensions appear to be helpful tools, the attacker successfully tricked about 20,000 users into downloading them. Upon installation, each extension behaved normally while performing malicious tasks. The translator did their job. The YouTube and TikTok enhancers did their jobs, likewise every other extension, so that no one could notice.
Every installed Chrome extension can, by default, see and potentially change information on the user’s webpage at any given time. Aside from that, some extensions request additional permissions or even prompt users to sign in using Google OAuth.
One gaming extension, Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj), requires users to log in with Google, enabling it to exfiltrate the user’s Google account identifiers. Socket, in a different report, notes that the extension requires network access and system information and could be used for exploits.
Another extension masqueraded as an internet speed test for Chrome but communicated with C2 servers to steal user data and execute commands. Socket’s specific analysis of it says it requests storage, tabs, and notifications permissions from its victims.
Next line of action
At first glance, this may seem like scattered tools, but it’s more than that. It’s a single malicious pipeline quietly running a network of infected devices.
The attacker published 108 extensions across different categories, coordinated through a single pipeline. That suggests a level of sophistication not many hackers have. And while no group has been named yet, comments found during analysis of some of the extension’s code contained Russian-language content.
To stay safe, do the following:
- Refer to Socket’s list before downloading any extension until Google validates Socket’s report and removes those extensions.
- Even after that, only download extensions from reputable sources. Check how long it’s been up, its reviews, and sometimes, a quick web search for the publisher’s name.
- Always keep your browser up to date. Updated browsers often come with security updates that may block certain underground malicious activities.
Also read: Attackers are increasingly abusing trusted software components, and a recent Android SDK malware bridge case showed how a flaw inside legitimate apps could expose millions of users.
