Security firm ICEBRG uncovers 4 malicious Chrome extensions
US-based security firm ICEBRG revealed yesterday that it detected four malicious Google Chrome extensions at the official Chrome Web Store.
The extensions had a combined user count of more than 500,000 users at that time. The company notified Google and authorities about the extensions; Google pulled three of the four extensions from the Store in the meantime.
The extensions in question are Lite Bookmarks**, Stickies - Chrome's Post-it Notes, Change HTTP Request Header and Nyoogle - Custom Logo for Google with Nyoogle still available at the official Web Store at the time of writing.
ICEBRG stumbled upon the malicious extensions during an investigation of a "suspicious spike in outbound traffic from a customer workstation." It identified the Chrome extension Change HTTP Request Header as the culprit and began to analyze the extension's behavior.
While the researchers did not notice other misbehavior by the extension, capabilities were in place to use it for other means.
The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.
The detected extensions use similar methods, but it is unclear if they are operated by the same group. It seems likely considering the similarity of methods used to bypass Google's automated checks of Chrome extension uploads and behavior.
Chrome users should verify on chrome://extensions that none of the extensions are installed. It is recommended that you remove these extensions immediately.
Google's automated system that checks Chrome extensions before they are offered on the Store is severely broken. The last year alone saw a number of incidents where malicious Chrome extensions slipped past Google's detection routines to infect hundreds of thousands of user systems. (via Bleeping Computer)