Researchers at Awake Security have uncovered a massive global surveillance campaign that used malicious Google Chrome extensions to steal sensitive data. The extensions had been downloaded millions of times before Google removed them from the Chrome Web Store.
These Trojan browser extensions were used to steal corporate data and gain a persistent foothold in corporate networks. Awake Security researchers identified 111 malicious Chrome extensions as part of the campaign, 79 of which were available in the Chrome Web Store and have now been removed by Google. The malicious extensions could take screenshots, steal data from the clipboard, log keystrokes, and harvest credential tokens. Awake Security estimates that the malicious extensions had been downloaded around 32 million times. What is less clear is who is behind the campaign, and whether this is the work of a nation state group or a cybercriminal operation.
The campaign appears to have been facilitated by the domain registrar, CommuniGal Communication Ltd. (GalComm). The 111 malicious extensions used GalComm-registered domains for the command and control infrastructure or loader pages, although the domain registrar owner claimed he was unaware of any malicious activity, had nothing to do with the campaign, and had done nothing wrong.
“We believe registrars like GalComm can effectively function like cyber arms-dealers, providing a platform through which criminals and nation-states can deliver malicious sites, tools and extensions without consequences or oversight,” explained Awake Security in the report.
Awake Security researchers identified 26,079 reachable domains that were used by the apps, 15,160 of which were registered by GalComm and were malicious or suspicious. The domains had been registered with GalComm immediately after they had expired. This approach helped bypass security measures that tend to look for recently registered new domains. Consequently, the domains were not blacklisted, even though many harbored traditional malware and browser-based surveillance tools.
According to Awake Security, these extensions had been used by the threat actor behind the campaign to obtain a foothold in around 100 corporate networks of companies in the oil & gas, media, entertainment, healthcare, education, high-tech, retail, financial services sectors, and also some government agencies.
Many of the firms that had been compromised employed best-in-class security solutions, but the nature of the surveillance campaign meant the threat was not detected. The researchers report that the campaign has been running for years.
Many business applications are now cloud based – Microsoft 365, G Suite, Salesforce, Zoom etc. – and must be accessed through a browser. By targeting browsers, the attackers can steal sensitive data undetected by security solutions. “Passively targeting these applications with malicious browser extensions is akin to the new attacker rootkit, giving the adversary virtually unfettered access to our business and personal online lives,” said Gary Golomb, co-founder and chief scientist of Awake Security.
While the extensions may have been added manually by users, Awake Security believes in many cases they were added by potentially unwanted programs (PUPs) and adware that had previously been installed on victims’ systems.
The campaign highlights the importance of recognizing the threat posed by rogue browser extensions and to ensure that scans are conducted to identify and investigate potentially malicious browser extensions.