The threat was spotted by Awake Security, which detected 111 of the malicious extensions over the past three months. When it notified Google of the issue last month, it claimed that 79 were present in the Chrome Web Store, where they had been downloaded nearly 33 million times.
Figures for the others not in the official marketplace are hard to calculate for obvious reasons.
“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc,” it said in a report detailing the investigation.
“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every single network.”
Spoofed to appear legitimate, the extensions all sent the data they harvested back to ‘legitimate’ domain registrar GalComm, which Awake argued “is at best complicit in malicious activity.”
Those behind the campaign have worked hard to ensure an almost 100% success rate, evading enterprise security proxies, AV and other defenses.
“One reason for this appears to be a smart method for filtering/blocking requests used by this attack campaign. If the client is connecting to the domain from a broadband, cable, fiber, mobile or similar fixed-line ISP type of network, then the client will be delivered the malicious payload. This allows all normal users and enterprises to pass through the filter,” the report explained.
“If the connection is coming from a data center, web hosting service, transit networks, VPN or proxy, the request is redirected to a benign page.”
In some cases, efforts were made to bypass the Chrome Web Store altogether.
“They do so by loading a self-contained Chromium package instrumented with the malicious plugins,” Awake Security said.
“As most users don’t recognize the difference between Chrome and Chromium, when prompted to make the new browser their default, they frequently do – making their primary browser one which will happily continue to load malicious extensions from other GalComm related sources.”
The report suggested the campaign could be tied to state-sponsored activity.
Source: Infosecurity Magazine