Published a new article: Malicious extensions circumvent Google’s remote code ban
https://palant.info/2025/01/20/malicious-extensions-circumvent-googles-remote-code-ban/
Looking at 60 malicious extensions belonging to three groups here, still running remote code despite Google banning it in Manifest V3. “Fun” fact: some of these extensions have been featured on my blog in 2023, others on McAfee’s in 2022.
Recurring pattern: downloading rules and adding them to declarativeNetRequest API. The abuse potential here is enormous, including injecting malicious scripts into websites.
Only one extension went for essentially a custom programming language, others settled with simpler approaches. Luckily for me because the latter allows better guesses about what this functionality is meant for. Spoiler: ads and affiliate fraud. Also: affiliate fraud and ads.
=> More informations about this toot | More toots from WPalant@infosec.exchange
Actually, make that 62 malicious extensions. Thanks to a commenter I found two more malicious ad blockers using the same approach as the EasyNav extension.
=> More informations about this toot | More toots from WPalant@infosec.exchange
And now I got hold of some malicious “configurations” used by Phoenix Invicta extensions. As expected, injecting their JavaScript code into all web pages is what they do. That’s some massive power which they use to … 🥁🥁🥁 … spy on people and inject their ads into Google searches, making these ads almost indistinguishable from search results. Oh, and if you look closely they also open up a massive vulnerability in all websites. But it’s not like they would care about that.
Now that is hopefully reason enough for Google to kick these extensions out.
=> More informations about this toot | More toots from WPalant@infosec.exchange
Turns out, I made a serious mistake here – the Flipshope extension isn’t malicious, it merely contains some left-over code that isn’t used. The company behind it says that they acquired the extension in 2023, and they apparently forgot to remove some dead code. This also affects attribution of that extension group.
=> More informations about this toot | More toots from WPalant@infosec.exchange
Now I got the malicious payload of the Download Manager Integration Checklist extension, lots of obfuscated code. Interestingly, the obfuscation approach is familiar: I’ve already reported some extensions which had similar obfuscated code built in rather than downloaded, and I just found two more.
Given how the extensions are seemingly unrelated otherwise I suspected some public obfuscator. And in fact, here it is: https://github.com/javascript-obfuscator/javascript-obfuscator/
Either way, there seem to be more obfuscation layers here. Somebody really didn’t want anybody to know what they are doing. So I guess I have some work to do…
=> More informations about this toot | More toots from WPalant@infosec.exchange
There we go, follow-up article: https://palant.info/2025/02/03/analysis-of-an-advanced-malicious-chrome-extension/
=> More informations about this toot | More toots from WPalant@infosec.exchange
@WPalant
Still potentially troublesome, which is the point you're trying to make. I hope they took care of it.
=> More informations about this toot | More toots from kg6hxm@social.makerforums.info This content has been proxied by September (3851b).Proxy Information
text/gemini