In a recent cybersecurity alert, experts have uncovered a disturbing scheme involving a total of 108 Google Chrome extensions designed to harvest user data and abuse browser functionalities. These extensions, which have been installed approximately 20,000 times from the Chrome Web Store, communicate with a centralized command-and-control (C2) infrastructure to execute their malicious activities, including the injection of advertisements and arbitrary JavaScript code into visited websites.
Extension Identities and Distribution
The extensions are attributed to five different publishers: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Despite their varied appearances, all extensions share the same backend and are part of a coordinated effort to compromise user data. Kush Pandya, a security researcher, highlighted that these extensions transmit credentials, user identities, and browsing information to servers controlled by a single operator.
Among the 108 extensions, 54 specifically target Google account identities using OAuth2, while 45 possess a universal backdoor that triggers the opening of arbitrary URLs upon browser startup. The rest partake in various malicious acts, such as exfiltrating Telegram Web sessions every 15 seconds and manipulating security headers on YouTube and TikTok to insert gambling ads.
Deceptive Appearances and Functions
To appear legitimate, these extensions pose as utilities and tools such as Telegram sidebar clients, slot machine games, video platform enhancers, and text translators. However, unbeknownst to users, they run harmful code in the background to capture session details, inject scripts, and navigate to URLs chosen by the attackers.
Notable extensions include ‘Telegram Multi-account,’ which exfiltrates Telegram Web user_auth tokens, and ‘Web Client for Telegram – Teleside,’ which modifies Telegram’s security headers to steal sessions. Another, ‘Formula Rush Racing Game,’ captures Google account details during user sign-in attempts.
Security Implications and Recommendations
Security researcher Socket has noted that five of these extensions use Chrome’s declarativeNetRequest API to strip security headers, thus enabling their malicious activities before a webpage fully loads. All identified extensions have a backend hosted at the IP address 144.126.135[.]238, although the developers’ identities remain unknown. Insights from source code analysis point to possible Russian origins, as indicated by language comments found in several extensions.
Users who have downloaded any of these extensions are strongly advised to uninstall them immediately and to log out of all active Telegram Web sessions via the mobile application to safeguard their accounts.
In conclusion, this incident underscores the persistent threat of malicious browser extensions. Users are encouraged to remain vigilant, review extension permissions regularly, and install only trusted and verified browser add-ons. Continuous monitoring and swift response are essential to mitigate the risks posed by such cyber threats.
