Chrome Extension - Threats from the latest Chrome extensions

Lưu Tuấn AnhLưu Tuấn Anh
4 min read

Overview

On December 25, 2024, several forms of attacks were recorded through Google Chrome extensions to infiltrate and steal user information, affecting over 600,000 users. Hackers took control and injected malicious code into these extensions. From analyzing some compromised machines, the main motive of the attack was to target Facebook Advertising accounts.

Main Findings

  • The nature of malicious Chrome extensions is that they are browser extensions for Google Chrome designed with harmful intent. These extensions may look like useful or harmless applications, but they often contain malicious code to collect personal data, track online activity, display unwanted ads, or even take control of the browser.

  • Notably, this vulnerability exists and affects the version: Chrome extension version 24.10.4. Additionally, recent reports also note that 16 other Google extensions may be affected in this attack campaign:

    • AI Assistant - ChatGPT and Gemini for Chrome

    • Bard AI Chat Extension

    • GPT 4 Summary with OpenAI

    • Search Copilot AI Assistant for Chrome

    • TinaMInd AI Assistant

    • Wayin AI

    • VPNCity

    • Internxt VPN

    • Vidnoz Flex Video Recorder

    • VidHelper Video Downloader

    • Bookmark Favicon Changer

    • Castorus

    • Uvoice

    • Reader Mode

    • Parrot Talks

    • Primus

    • Tackker - online keylogger tool

    • AI Shop Buddy

    • Sort by Oldest

    • Rewards Search Automator

    • ChatGPT Assistant - Smart Search

    • Keyboard History Recorder

    • Email Hunter

    • Visual Effects for Google Meet

    • Earny - Up to 20% Cash Back

    • Where is Cookie?

    • Web Mirror

    • ChatGPT App

    • Hi AI

    • Web3Password Manager

    • YesCaptcha assistant

    • Bookmark Favicon Changer

    • Proxy SwitchyOmega (V3)

    • GraphQL Network Inspector

    • ChatGPT for Google Meet

    • GPT 4 Summary with OpenAI

Attack Vector

  1. The attacker initially sends a phishing email to the victim with support for Chrome Extension. After clicking on the email, the victim is unknowingly added to a malicious Google OAUTH application called: “Privacy Policy Extension” and inadvertently grants permission to the third-party malicious application. From there, the attacker gains the necessary permissions through the “Privacy Policy Extension” and uploads malicious extensions including 2 files:

    • worker.js

    • content.js

  1. Initially recorded file: worker.js is intended to connect with the C&C server and download the configuration from C&C. It will save the configuration to Chrome's local storage. The next step is that it registers listeners to listen for events from content.js and make HTTP calls.

    1. After the worker.js file runs successfully, the content.js file is called. This is a new file added to the malicious Chrome extension. The main goal of this file is to collect user data for a specific website. This website is part of the C&C received and stored by worker.js. After collecting the data, it sends the data to a malicious website, which is also in the configuration received from the C&C server.

  1. The target websites received from the C&C server are domains related to "*.facebook.com" with specific purposes such as:

    • Obtaining the Facebook user ID

    • Retrieving the user's account information (if available) via the Facebook API

    • Accessing the user's business account (through the Facebook API)

    • Fetching the user's ad account information (through the Facebook API)

IOCs

  1. Hash Code

    • DDF8C9C72B1B1061221A597168f9BB2C2BA09D38D7B3405E1DACE37AF158794

  2. Malicious file

    • worker.js (0B871BDEE9D8302A48D6D6511228CAF67A08EC60)

    • content.js (AC5CC8BCC05AC27A8F189134C2E3300863B317FB)

  3. C&C Servers and Malicious IPs

    • cyberhavenext[.]pro

    • api.cyberhaven[.]pro

    • 149.28.124[.]84

    • 149.248.2[.]16

Recommendations

  1. To ensure protection against this campaign, organizations should verify Google Chrome extensions and update to version 24.10.5 or newer.

  2. Review and remove unnecessary extensions from the browser and change passwords on Google Chrome.

Conclusion

Taking control and stealing sensitive information from personal or business Facebook accounts is a significant security risk. By reviewing and upgrading to the recommended versions, organizations and individuals can protect sensitive information from being intercepted by malicious actors. Regular updates and security assessments are crucial for maintaining a safe communication environment.

References

  1. https://www.cyberhaven.com/engineering-blog/cyberhavens-preliminary-analysis-of-the-recent-malicious-chrome-extension

  2. https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html?m=1

0
Subscribe to my newsletter

Read articles from Lưu Tuấn Anh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligencechrome extensionFacebookrepost

Written by

Lưu Tuấn Anh
Lưu Tuấn Anh