The unknown threat actor has been equipped with seemingly benign utility since February 2024, but is attributed to creating several malicious Chrome browser extensions that incorporate hidden features to remove data, receive commands, and execute arbitrary code.
“The actor will create websites pose as legitimate services, productivity tools, advertising and media creation assistants, VPN services, banks, and more, and instruct them to install malicious extensions that correspond to Google’s Chrome Web Store (CWS).
The browser add-on appears to provide advertised features, but also enables phishing with credentials and cookie theft, session hijacking, ad injection, malicious redirects, traffic operations, and DOM operations.
Another factor that works in your advantage with extensions is that they are configured to grant excessive permissions via the Manifest.json file.
It is also known that extensions rely on the “OnReset” event handler of temporary document object model (DOM) elements to bypass content security policies (CSP), possibly to execute code.
Some identified lure websites will tempt users to download and install extensions by impersonating legitimate products and services such as Deepseek, Manus, Debank, Fortivpn, and site statistics. The add-on goes to harvesting browser cookies, retrieves any scripts from the remote server and sets up a Websocket connection that acts as a network proxy for traffic routing.
Currently, there is no visibility into the way victims are redirected to fake sites, but Domaintools told the publication it could include regular methods such as phishing and social media.
“They have appeared in both Chrome Web stores and have adjacent websites, so they can return from the results of searches within the Chrome Store as a result of normal web searches,” the company said. “Many of the lure websites used Facebook tracking IDs, which strongly suggests that Facebook/meta apps be revered in some way to attract site visitors.
At the time of writing, we don’t know who is behind the campaign, but the threat actors have over 100 fake websites and malicious Chrome extensions set up. Google has removed the extension.
To mitigate risk, users are encouraged to stick to a verified developer before downloading the extension. Review requested permissions, review reviews, and refrain from using visual extensions.
That said, it is worth keeping in mind that filtering negative user feedback can manipulate and artificially inflate ratings.
In an analysis published later last month, domainools found evidence of an extension that is pretending to be DeepSeek, redirecting users who provide low ratings (1-3 stars) for AI-chat-bot’s private feedback form[.]Pro Domain sends those that offer high ratings (4-5 stars) to the official Chrome Web Store review page.
Source link
