Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Malicious Extension. Show all posts

Remove These Malicious Chrome Extensions With 1 Million Downloads

 


An extension for your browser can enhance your online experience in several ways. Translations, conversions, spellchecking, shopping, and blocking popup ads are some of the services they can assist you with. You can customize your browsing experience using these extensions, and you may even be able to alter the way websites are displayed. There are several popular extensions available for Chrome, but the dark mode is an example.

It is imperative to remember that not all extensions are safe. By giving them access to such information, such as your personal information, you are giving them a lot of power. 

Although some extensions store this data for convenience, others use it to track you or launch a cyberattack against your computer. A malicious Chrome extension was recently reported to have been downloaded 1.4 million times since it first appeared on our site.

The cybersecurity firm Guardio Labs reports that a newly discovered malicious advertising campaign has been discovered in which Chrome extensions are used to hijack web searches and embed affiliate links into any other websites you visit.

The company's security researchers have dubbed this advertising campaign "Dormant Colors" since all of the malicious extensions in question offer color customization options for Chrome, which makes them the right candidate for being dubbed a malicious advertising campaign. However, the extensions themselves do not include malicious code when installed. This is how they were able to bypass Google’s security checks and end up on the Chrome Web Store in the first place. 

Extensions for Google Chrome - Dormant Colors

Following a thorough investigation into this matter by Guardiothis campaign use ad, it was found that there were thirty different versions of these malicious browser extensions available on both the Chrome and Edge web stores with more than a million installations altogether. They have been removed from both web stores, as we mentioned before, but just in case, here is a complete list of all the products that have been removed:

• Action Colors 
• Power Colors 
• Nino Colors 
• More Styles 
• Super Colors 
• Mix Colors 
• Mega Colors 
• Get colors 
• What color 
• Single Color 
• Colors scale 
• Style flex 
• Background Colors 
• More styles 
• Change Color 
• Dood Colors 
• Refresh color 
• Imginfo 
• WebPage Colors 
• Hex colors 
• Soft view 
• Border colors 
• Colors mode 
• Xer Colors 

 Explanation of how to remove Chrome extensions manually 

There are several malicious extensions listed below that have since been removed, but you may need to manually remove them by clicking on the three dots menu at the top right-hand corner of your Chrome browser to remove them permanently. Upon clicking 'More', you will be taken to the More tools section where you will be able to access Extensions.

Making money by hijacking your browser to make money from clicks on the ads 

The cybercriminals behind this campaign use ads and redirects to trick unsuspecting users into installing their malicious extensions. This is done when they visit sites that offer the opportunity to play videos or download files. This is done so that they can then go one step further and download malicious extensions. 

There are two sites where you can watch videos or download programs. However, when you click the videos or download programs link, you are redirected to another site that requires you to add an extension before you can continue. It is quite likely that you will be prompted to install a color-changing extension when you click either the 'OK' button or the 'Continue' button. This extension initially seems harmless on the surface. 

The problem with these extensions is that once installed, their purpose is to redirect users to pages that redirect them to malicious scripts that side-load malicious scripts that show how to perform search hijacking for the extensions, but also that tell the extensions what sites affiliate links can be inserted on to generate affiliate revenue. The creator of these malicious extensions earns a lot of money from these advertisements, which are sold to third parties for profit, which is known as search data. 

It is also possible to use these Dormant Colors extensions for automatic redirects to the same page with affiliate links added to the URL of each page instead of redirecting users to an entirely different page. Whenever anyone purchases an extension on any of these sites, the developers of such an extension will receive a commission for their work. 

Guardia, in a blog post, tells that the malicious extension campaign may have the potential to spread further over the coming weeks. "As this campaign continues to run, it is shifting domains, generating a wide assortment of extensions, and re-inventing several color-and-style-changing functions you are sure to be able to do without."

It is also worth mentioning that the code injection technique analyzed here provides the mitigation and evasion measures necessary to contribute to further malicious activities in the future, especially since it is a huge infrastructure for mitigation and evasion. 

The most effective way to keep your browser from getting infected by malicious extensions 

The most appropriate time to make sure you have an effective antivirus solution installed on your laptop or PC is before you add any additions to your browser, especially if you plan on adding any new extensions to it. In this way, you will be able to protect yourself against malware infection or having your personal information stolen and misused. 

Additionally, when you install any extensions, be sure to only use trusted sources, such as the Chrome Web Store or the Microsoft Edge Add-ons store, as these are both reliable sources. The fact that malicious extensions do slip through the cracks from time to time does not change the fact that you are still safer when you install browser extensions from an official store rather than from the web.

Additionally, you should always ask yourself whether or not you need an extension before downloading it. Do you need it, or do you just want to use it? When you come across an extension that seems too good to be true, then you can be certain that it is and is not worth downloading. In addition to checking the extensions in your browser regularly, you might also want to consider adding new ones. 

You need to regularly take a look at the extensions you have installed in your browser and make sure they are still relevant. Delete any of these that you no longer need. Also, keep an eye out for any new ones you may not have noticed you have added without your knowledge. Using browser extensions, you can add all kinds of new features and options to your browser that are not available in its built-in functionality. 

ABCsoup Adware Campaign Employs 350 Browser Extension Variants to Target Russian Users

 

Zimperium researchers have identified an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. The campaign employs more than 350 versions of malicious browser extensions using the Google Translate extension ID to fool victims into downloading the malicious files.

"The extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores," researchers explained. 

The malicious browser add-ons come with an identical extension ID as that of Google Translate to trick users into believing that they have installed a legitimate extension. However, the extensions are not available on the official browser web stores. 

The hackers deliver them via multiple Windows executables that install the add-on on the victim's web browser. If the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10). 

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta stated. 

According to Zimperium, the malicious extensions are geared towards serving pop-ups, siphoning private details to deploy target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as spyware to capture keystrokes and monitor web browser activity. 

The primary motive of this malicious campaign is to scan for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the victims' first and last names, dates of birth, gender, and transfer the data to a remote server. 

The malicious extension does not utilize the stolen details to serve personalized ads but also has the capability to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, indicating a heavy Russia focus. 

The researchers attributed the campaign to the threat actors based in Russia or Eastern Europe. The extensions were created to single out Russian users given the wide range of local domains featured.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."

Malvertising Campaign Target Firefox Users via Fake Updates

 

Fillip Mouliatis, a Malwarebytes researcher has uncovered a malvertising campaign that is nearly identical to the one distributed by the FakeUpdates (SocGholish) attackers. 

However, the execution and distribution patterns are different. Unlike FakeUpdates which is driven by exploited websites to display malicious, fake browser update windows, this campaign employs malvertising. 

The malvertising campaign target users via a fake Firefox update that includes a couple of scripts and an encrypted payload. The initial executable consists of a loader that retrieves a piece of Adware identified as BrowserAssistant. This malicious payload was spotted before in an identical malvertising campaign involving the RIG exploit kit in late 2019. 

Interestingly, the attackers reused the same servers in Russia and dubbed their malvertising gates after different ad networks. 

In October 2020, security analyst ‘@na0_sec’ witnessed the “MakeMoney gate”, named after the domain makemoneywithus[.]work (188.225.75.54), redirect to the Fallout exploit kit, although it usually employed RIG EK for multiple years. 

According to Malwarebytes, it is interesting that malicious actors remained faithful to RIG EK for so long during a period when exploit kits were going out of fashion. The attackers also seemed to poke fun at the same ad networks they were exploiting, unless the choice for names linked with their campaigns was motivated by sorting out their upstream traffic. 

However, this particular social engineering campaign could use some improvements to remove some blatant typos while their server-side infrastructure could be tidied up, Filip Mouliatis stated. 

Last year in December 2021, a Malvertising campaign targeted Chrome users via malicious extensions. These extensions, were manufactured to impersonate popular applications, and create backdoors in the software that malicious actors could exploit to exfiltrate personal identifiable information (PII) data.

Magnat, the authors of this malicious campaign specifically targeted users searching for popular software via search engines. Once the victim clicked on a malicious link to a fake installer, their endpoint was compromised with a password stealer called "RedLineStealer," as well as a Chrome extension known as "MagnatExtension” designed to log keystrokes and capture screenshots. 

To mitigate the risks, avoid clicking on ads promising things that seems suspicious. Only click on those ads that look like they were created by a professional graphic designer. Experts also suggest not to click on ads that have spelling errors.