Malicious Browser Extensions
Chloe Sarnoff
Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions.
Recent incidents like DataSpii and the Nigelthorn malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them.
A new report by LayerX, "Unveiling the Threat of Malicious Browser Extensions" (download here), provides in-depth insights into the malicious browser extensions threat landscape, while offering recommendations for mitigation.
1. Initially Malicious Extensions - These are extensions that are purposefully created by malicious actors to cause. These extensions could either be uploaded to web stores or hosted on the attacker's infrastructure.
The critical security question here is whether these extensions are truly necessary within the corporate network and whether they pose any security risks. It's essential to carefully evaluate the need for such extensions and their potential impact on network security.
2. Normal Installation - Extensions that users download from official browser stores by visiting an extension's listing. This approach allows users to make independent choices regarding which extensions to install.
While this offers flexibility, this approach raises the security question of potential risks associated with employees' choices. Assessing the popularity and security of these extensions among the workforce is vital to maintain a secure browsing environment.
3. Developer Installation - Extensions loaded from employees' local computers. Since these extensions originate from employees' workstations, they bypass the usual vetting process for installed software.
4. Sideload Installation - This method involves third-party applications, such as Adobe or other software providers, installing extensions. Unfortunately, it is the least secure option, as it can be easily exploited by adversaries to install malicious extensions without the user's awareness.
LayerX has identified the following distribution of installation types based on its user data. As can be observed, the majority, 81% of extensions, are installed by users downloading from official browser stores.
Given the widespread popularity of users downloading extensions themselves, it's important to exercise caution and train employees to identify which extensions could be potentially malicious. Some of the main indicators include:
The report itself contains additional information that is a must-read for any security or IT professional to read. This includes risky browser extension permissions to look out for, the browser extension attack vector, mitigation techniques, and more. Cybersecurity is about acknowledging, adapting, and responding to changing threats, and malicious browser extensions demand our attention today.
The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.
This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.
Criminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.
One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.
The rich data obtained through such means can subsequently be weaponized and monetized by criminals. For example, using privileged data, they can craft better phishing emails or use credentials harvested to carry out identity-based attacks.
Further, because extensions are embedded into browser applications and do not create process start events, they can be harder to detect than ordinary desktop applications, allowing threat actors to obfuscate and persist their malicious activities.
One common method is to list deceptive extensions on browser stores. Deception can be achieved in a number ways, including by mimicking legitimate well-known vendor product names or by publishing extensions with popular productivity purposes.
Another popular tactic is ownership takeover, where threat actors purchase or otherwise take over previously legitimate browser extensions that already have a user base and push out malicious updates to compromise target systems.
Even with the web store method, browser extensions can expand their permissions upon installation and download additional malicious payloads. This is a popular obfuscation tactic where adversaries publish extensions to web stores with minimal initial permission requirements but expand their footprint with harmful intentions. A case in point was the notorious PDF Toolbox malicious browser extension, which downloaded additional payloads upon installation to enhance its capabilities and persistence.
Fortunately, Falcon Exposure Management, a module of the AI-native CrowdStrike Falcon cybersecurity platform, leverages its single, lightweight agent to provide comprehensive asset visibility and instant exposure assessment. This enables security teams to further close the security gap by detecting yet another source of exposure in the form of browser extension risks.
From here, security teams can assess extension risks in a number of ways. For starters, installation methods are shown related to each extension, uncovering sideloaded applications and providing risk context.
Falcon Exposure Management also shows the vendor name captured from the extensions, which can range from legitimate well-known vendors all the way to those with missing artifacts in the name field. Web store listings for the extension, if found, are also provided.
With Falcon Exposure Management, these assessments take place seamlessly and instantaneously with the Falcon agent. This allows security teams to monitor their overall attack surface in its various forms, leaving adversaries nowhere to hide.
To function as intended, extensions often request specific permissions during the installation process. These permissions can range from relatively benign, like displaying notifications, to more invasive ones that can significantly compromise your security. Here are some common permissions extensions typically ask for:
In 2022, McAfee reported on five malicious extensions redirecting users to phishing sites and tampering with eCommerce cookies. These extensions (Netflix Party, Netflix Party 2, FlipShope, Full Page Screenshot Capture, and AutoBuy Flash Sales) had a whopping install base of over 1.4 million.
Fast forward to May 2023, independent cybersecurity researcher Vladimir Palant unearthed a Chrome extension called PDF Toolbox. Despite its impressive user base of more than 2 million users and high ratings, the extension was caught loading arbitrary code from suspicious websites onto every webpage viewed by the user.
Taking proactive measures is crucial for minimizing the risks posed by malicious browser extensions. Fortunately, the implementation of a few cybersecurity controls is enough to greatly reduce the likelihood of falling victim to a cybersecurity incident caused by a malicious extension.
The bottom line is clear: malicious browser extensions are a pressing concern that demands immediate attention. Act now to review, restrict, and regularly update the browser extensions allowed within your organization.
Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.
One of the Rilide samples identified by Trustwave SpiderLabs was distributed through a malicious Microsoft Publisher file. This file is part of Ekipa RAT, a Remote Access Trojan (RAT), designed for targeted attacks and often sold on underground forums.
Any association between the threat actors behind Ekipa RAT and those using the Rilide infostealer remains unclear. However, it is probable that Ekipa RAT was tested as a means of distribution for Rilide, before finally switching to Aurora stealer.
Aurora is a Go-based stealer, which was initially spotted being advertised in April 2022 as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums. The malware is designed to target data from multiple web browsers, cryptocurrency wallets, and local systems.
Recently, the threat actors behind Aurora have been observed abusing the Google Ads platform to spread the malware. According to a report published by Cyble, campaigns mimicking legitimate Team Viewer installers have been utilized to deploy Aurora. As reported by @1ZRR4H and @malwrhunterteam, Aurora was also spread via another campaign that imitated an NVIDIA Drivers installer. A downloaded sample was packed with Themida, a well-known commercial protector for executables. We used the UnpacMe service to unpack the sample.
One of the eight grabbing modules, configured in the analyzed sample, contained a base64 encoded blob of data storing the URL for the Rilide Rust-based loader. The payload, hosted on Discord CDN, was saved to the %temp% directory with filename .exe and executed via start-process PowerShell cmdlet.
93ddb68554