Guardio Labs researchers have discovered Dormant Colors, a new malvertising campaign to deliver malicious Google Chrome extensions.
Chrome extensions are used to hijack searches and insert affiliate links into web pages. The campaign was dubbed Dormant Colors by experts because the extensions permit color customization.
“It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs.
The researchers discovered at least 30 variants of these extensions in both the Chrome and Edge web stores by mid-October 2022.
Over a million people installed malicious browser extensions.
Experts discovered that the code of Chrome extensions does not contain malicious components in its initial state, but malicious snippets are later added to the code.
The attack chain is based on malvertising messages designed to trick victims into clicking on the install button, as seen in the video. Victims are prompted to install a color-changing extension after clicking the 'OK' or 'Continue' button.
Once installed, these extensions redirect users to various pages that side-load malicious scripts that alter browser behavior. The extensions can hijack searches and return affiliate links in the results. This scheme enables threat actors to profit from traffic to these websites while also stealing data.
According to experts, these malicious extensions are more than just other search hijackers because they include "stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users." The collected data is used to categorize potential targets and select the best social engineering attack vectors to target and steal from them.
Dormant Colors' operations rely on affiliation with 10,000 targeted sites and a global network of millions of infected computers. The attackers add affiliate tags to the URL, and any purchases made on the site result in a commission for the operators. The researchers released a video that depicts affiliate hijacking for the shopping site 365games.co.uk. The video depicts the address bar being filled with data from affiliation sources. The same method can clearly be used to redirect victims to phishing pages in order to steal credentials for popular services such as Microsoft 365, online banking, and social media platforms.
“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without. Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future.” concludes the report that also includes Indicators of Compromise (IoCs) for this campaign.
“At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data. No extension that makes a fine-looking website look dark and ugly is worth it…”
