Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions were found to be communicating with the same command-and-control (C2) infrastructure with the goal of harvesting user data and enabling browser-level exploits by injecting ads and arbitrary JavaScript code into every web page visited.
According to Socket, the extension is published under five different publisher IDs: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt, and has amassed about 20,000 total installs in the Chrome Web Store.
“All 108 sent stolen credentials, user IDs, and browsing data to servers controlled by the same operator,” security researcher Kush Pandya said in an analysis.
Of these, 54 add-ons steal Google account identities via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining add-ons perform various malicious behaviors.
Extract Telegram web sessions every 15 seconds Remove YouTube and TikTok security headers (Content Security Policy, X-Frame Options, CORS) and insert gambling overlays and ads Inject content scripts into every page a user visits Proxy all translation requests through the threat actor’s servers
In order to appear legitimate, the identified extensions pretend to be Telegram sidebar clients, slot machines and Keno games, YouTube and TikTok enhancers, text translation tools, and page utilities. The advertised features are diverse and aim to cast a wide net while sharing the same backend.
However, unnoticed by the user, malicious code running in the background captures session information, injects arbitrary script, and opens a URL of the attacker’s choice.
Some of the extensions identified are listed below.
Telegram multi-account (ID: obifanppcpchlehkjipahhphbcbjekfa). Extract the user_auth token used by Telegram Web and extract the data to a remote server. It can also overwrite localStorage with session data provided by the threat actor, forcing the messaging application to load, effectively replacing the victim’s active Telegram session with a session of the threat actor’s choosing. Web client for Telegram – Teleside (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno). Injects a script that removes Telegram security headers and steals Telegram sessions. Formula Rush Racing Game (ID: akebbllmckjphjiojeiooooidhnddnplj). It steals the user’s Google Account ID the first time the victim clicks the sign-in button. This includes details such as email, full name, profile picture URL, and Google Account ID.
“The five extensions use Chrome’s declarativeNetRequest API to remove security headers from the target site before the page loads,” Socket said. “All 108 malicious extensions share the same backend, hosted at 144.126.135.[.]238″
It is currently unclear who is behind the policy-violating extension. However, analysis of the source code revealed that some add-ons contained comments in Russian.
Users who have installed any of the extensions are advised to immediately remove the extension and log out of all Telegram web sessions from the Telegram mobile app.
Source link
