Browser Extensions
Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles
tool to install malicious .mobileconfig
files. In macOS 11+, the use of the profiles
tool can no longer install configuration profiles, however .mobileconfig
files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for Command and Control.(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for Defense Evasion.(Citation: Browers FriarFox)(Citation: Browser Adrozek)
Procedure Examples |
|
Name | Description |
---|---|
Mispadu |
Mispadu utilizes malicious Google Chrome browser extensions to steal financial data.(Citation: ESET Security Mispadu Facebook Ads 2019) |
Kimsuky |
Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Netscout Stolen Pencil Dec 2018) |
OSX/Shlayer |
OSX/Shlayer can install malicious Safari browser extensions to serve ads.(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018) |
Grandoreiro |
Grandoreiro can use malicious browser extensions to steal cookies and other user information.(Citation: IBM Grandoreiro April 2020) |
Bundlore |
Bundlore can install malicious browser extensions that are used to hijack user searches.(Citation: MacKeeper Bundlore Apr 2019) |
Stolen Pencil |
Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed. (Citation: Netscout Stolen Pencil Dec 2018) |
Mitigations |
|
Mitigation | Description |
---|---|
Limit Software Installation |
Block users or groups from installing unapproved software. |
Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
Update Software |
Perform regular software updates to mitigate exploitation risk. |
User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Browser Extensions Mitigation |
Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones. Browser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP) Change settings to prevent the browser from installing extensions without sufficient permissions. Close out all browser sessions when finished using them. |
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Detection
Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.
Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.
On macOS, monitor the command line for usage of the profiles tool, such as profiles install -type=configuration
. Additionally, all installed extensions maintain a plist
file in the /Library/Managed Preferences/username/
directory. Ensure all listed files are in alignment with approved extensions.(Citation: xorrior chrome extensions macOS)
References
- ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
- Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018.
- Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017.
- Raggi, Michael. Proofpoint Threat Research Team. (2021, February 25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. Retrieved February 26, 2024.
- Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024.
- Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.
- Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.
- Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved September 12, 2024.
- Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.
- De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
- Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.
- Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021.
- Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017.
- ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
- Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
- Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.
- Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Заражение вредоносным программным обеспечением
из-за
возможности установки и эксплуатации расширений
в браузере
Доступность
Конфиденциальность
Отказ в обслуживании
Повышение привилегий
Раскрытие информации
Целостность
Искажение
|
1
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.