Chrome Extension With 1 Million Installation Stealing Data From Browser

It has recently been discovered by the security researchers at Guardio Labs that a new malvertising campaign is on the loose. This malicious campaign is intended to achieve the following objectives:

  • Push search hacking Chrome extensions.
  • Put affiliate links on web pages in order to earn affiliate commissions.

The cybersecurity researchers titled this malvertising campaign “Dormant Colors.” In total 30 variants of malicious extensions have been identified by security experts during the second half of October 2022 on the web stores of popular web browsers:-

  • Chrome
  • Edge 

The surprising thing about these malicious browser extensions is they all have managed to achieve more than 1 million active installs globally.

The operators of this campaign designed all the malicious extensions in such a way that they easily evade detection since it doesn’t contain any malicious code and offers multiple color customization options to lucrate the users.

Dormant Colors Infection

When a victim visits a website that offers video or downloadable content, the victim will be bombarded with advertisements and malicious redirects that lead to the initial infection chain.

Here in the below video you can see it in action:-

It should be noted that upon installation of these extensions, they side-load the malicious scripts by redirecting the victims to the multiple dangerous web pages. 

The primary objective of these malicious scripts is to make the extension perform search hijacking and insert affiliate links.

These malicious extensions are capable of redirecting the search queries to fetch the search results from the websites that are associated with the developers of the extensions. 

By doing this, ad impressions and the sale of search data will generate a hefty revenue for the threat actors or the operators of these malicious extensions.

On top of this, Dormant Colors also steals the browsing data of the victim from a comprehensive list of 10,000 websites. What the threat actors do is, they automatically redirect the victim to a page which contains affiliate links that are advertised as part of the URL.

It is the operators of the malicious extensions who will generate a commission on every sale made on the site once the affiliate tags are appended to the URL.

Powerful C&C

It is possible that Dormant Colors’ operators may achieve far more detrimental things than hijacking affiliations using these same stealthy malicious techniques.

Not only that, but threat actors also get the ability to redirect victims to fake websites with malicious scripts that steal the credentials of the following services:-

  • Microsoft 365
  • Google Workspace
  • Banking
  • Social media accounts

Despite this, neither of these campaigns seems to be performing any malicious activities since there is no indication that they are.

Cyber Attack with Zero Trust Networking – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.