Attack Chain

1. Users install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).
2. Upon installation, the extensions execute JavaScript code in the background.
3. Extensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.
4. Extensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.
5. Some extensions contain a backdoor that opens an arbitrary URL received from the C&C server in a new tab upon browser start.
6. Other malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.
7. The attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.

Impact

Over 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.

Recommendation

• Monitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).
• Implement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.
• Deploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.