- Socket finds 108 malicious Chrome extensions stealing tokens and data
- Extensions harvest Google account info, hijack Telegram sessions, and open backdoors
- Likely Russian MaaS operation; 20,000+ installs, still live in Web Store
A single threat actor has apparently smuggled more than 100 malicious browser extensions into the official Google Chrome Web Store, looking to steal authentication tokens, and establish backdoors to people’s devices.
Analyzing Google’s browser repository, security researchers Socket found 108 extensions split into five distinct categories: Telegram sidebar clients, slot machines and Keno games, YouTube and TikTok enhancers, text translation tools, and browser utilities.
While on the surface, all of those worked as intended, in the background they were doing all sorts of malicious things.
TIered system and new announcements
For example, a cluster of 78 extensions was seen injecting attacker-controlled HTML into the user interface, while 54 extensions were harvesting emails, names, profile pictures, and Google account IDs.
They also stole Google OAuth2 Bearer tokens. A third group of 45 extensions works as a backdoor, fetching commands from the C2 infrastructure and opening arbitrary URLs. A few extensions stripped security headers and injected ads into YouTube and TikTok.
However, the most dangerous extension was seen stealing Telegram Web sessions every 15 seconds, extracting data from local storage and the session token for Telegram Web.
While the extensions were published from five separate profiles, they all connected back to the same command-and-control infrastructure, which suggests that this is all the work of a single threat actor. Judging by the comments in the code for authentication and session theft, Socket concluded that this was most likely a Russian malware-as-a-service (MaaS) operation. However, it was not able to attribute the campaign to a specific actor, or cluster.
Some sources said the extensions were installed at least 20,000 times by now and that despite Socket’s takedown requests, Google has not yet removed the extensions from the repository - so if you are using any of these, it would be best to uninstall them immediately.
