Four malicious Chrome extensions caught infecting more than half a million users worldwide

Security researchers have found four malicious Chrome extensions laced with suspicious code infecting more than 500,000 users across the globe, including workstations within major organisations. According to cybersecurity firm ICEBRG, the four extensions that were available on the official Google Chrome Store were likely used for click fraud scams or search engine optimisation manipulation.

Researchers spotted the extensions while investigating a recent suspicious spike in outbound network traffic from a customer's work station to a European VPS provider.

"Although likely used to conduct click fraud and/or search engine optimisation manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information," ICEBRG researchers Justin Warner and Mario De Tore wrote in a blog post published on Monday (15 January).

"Chrome's JavaScript engine evaluates JavaScript code contained within JSON. Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP)."

While researchers noted that the extensions did not contain any overtly malicious code, they do include two features that, if combined, allow threat actors to inject and execute arbitrary, potentially malicious JavaScript code whenever the update server receives a permission request to retrieve JSON from an external source.

One item in the code checks the infected system for any Chrome debugging tools. If it does happen to detect any, it stops the execution of the injected code.

"This is most likely an anti-analysis technique implemented by the developers to avoid detection and prolong their capabilities," the researchers noted.

"Once injected, the malicious JavaScript establishes a WebSocket tunnel with 'change-request.info'. The extension then utilises this WebSocket to proxy browsing traffic via the victim's browser," they explained. "The threat actor utilised this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing."

Click fraud scams are used to force victims to visit advertising websites that pay per-click rewards.

"The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties," the researchers added.

The offending Chrome extensions included "Change HTTP Request Header", "Nyoogle - Custom Logo for Google", "LiteBookmarks" and "Stickies - Chrome's Post-It Notes".

It is unclear if the same authors were behind all four extensions. However, they did feature similar tactics, techniques and procedures (TTPs). However, researchers warned that such tools and techniques could be leveraged by more sophisticated hackers to enable "a beachhead into target networks".

ICEBRG notified Google along with the National Cyber Security Centre of The Netherlands (NCSC-NL), the US Computer Emergency Readiness Team (US-CERT) and affected ICEBRG customers about the nefarious extensions.

Google has since removed the extensions from its Chrome Store.

Researchers note that the significant number of users who downloaded the malicious Chrome extensions "provides a substantial pool of resources to draw upon for fraudulent purposes and financial gain".

"The high yield from these techniques will only continue to motivate criminals to continue exploring creative ways to create similar botnets," they said. "It should be noted that although Google is working to give enterprises more options for managing Chrome extensions, without upstream review or control over this technique, malicious Chrome extensions will continue to pose a risk to enterprise networks."