An unknown threat actor has been attributed to creating
several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.
While the browser add-ons appear to offer the advertised features, they also enable
credential and cookie theft,
session hijacking,
ad injection,
malicious redirects,
traffic manipulation, and
phishing via DOM manipulation.
Some of the identified lure websites
impersonate legitimate products and services like DeepSeek, Manus, DeBank, FortiVPN, and Site Stats to entice users into downloading and installing the extensions. The add-ons then proceed to harvest
browser cookies, fetch arbitrary
scripts from a remote server, and set up a
WebSocket connection to act as a network proxy for traffic routing.
"Because they appear in both Chrome Web Store and have adjacent websites,
they can return from as results in normal web searches and for searches within the Chrome store," the company said. "Many of the lure websites used Facebook tracking IDs, which strongly suggests they are leveraging Facebook / Meta apps in some way to attract site visitors. Possibly through Facebook pages, groups, and even ads."
To mitigate risks, users are advised to stick with verified developers before downloading extensions, review requested permissions, scrutinize reviews, and refrain from using lookalike extensions.
thehackernews.com
