Dormant Colors campaign injected 1 million Chrome browsers with revenue-generating malware

Researchers at cybersecurity firm Guardio have uncovered a campaign that has quietly injected malware into the Chrome-based browsers of more than 1 million victims. The campaign leveraged browser extensions distributed through the Google Chrome Web Store and the Microsoft Edge Add-ons store. However, these extensions do not package any malicious payloads, allowing them to avoid detection. Only after installing them do extensions sideload malicious code that activates their unwanted behavior.

Malvertising instructs users to add extensions to continue news
Malvertising that instructs users to install an extension to continue (Source: Guardio)

These extensions are promoted through malvertising (malvertising) displayed on web pages, redirecting users to free streaming or downloading of digital media content. As shown in the GIF above, these malicious ads present fake pop-ups informing users that they cannot continue to the next page without installing the extension. If the user accepts the prompt, the Chrome Web Store or Edge Add-ons store will open in a new window, and the malicious ad in the original window will instruct the user to install the browser extension displayed in the new window.

After installing the extension, it opens a blank page and then redirects the user to a web page that displays advertisements for other services or browser extensions. Unbeknownst to the user, however, the blank page that briefly preceded the ad contained a PHP resource filled with malicious scripts that were downloaded and sideloaded by the browser extension. The extension in this malware campaign was advertised as a tool to change the background color of a website, prompting researchers to name the campaign “Sleep Color” because the color extension was dormant until the malicious script was sideloaded. .

Redirected web search results news
Google Search redirects to affiliate search providers (Source: Guardio)

After the malicious script is loaded, the extension establishes a connection to the threat actor’s command and control (C2) server, which can push additional malicious scripts to update the extension’s behavior. The malicious extension injects code into every web page the user visits, enabling the extension to gather information about the victim’s browser behavior and upload this information to the C2 server. Researchers are concerned that these extensions could be used to conduct targeted phishing (spear phishing) attacks based on information collected and shared with the threat actors behind the campaign.

However, researchers currently do not have any evidence that such attacks are taking place. Instead, these extensions detect when a user visits a specific domain name and redirect the user to the same domain name with an affiliate code added to the URL, or hosting a website similar to an alternate domain name for the website hosted on the entered domain name . user. For example, the GIF above shows one of the malicious extensions redirecting a user’s Google search query to an alternate search provider that’s nearly identical to Google Search.

So far, the redirects performed by these malicious extensions appear to be aimed at generating revenue for the threat actors behind the campaign. However, as already mentioned, these extensions can be used to redirect unsuspecting victims to phishing login pages to steal their user credentials. Fortunately, the malicious extensions identified by Guardio appear to have been removed from the Chrome Web Store and Edge Add-ons store, but users should ensure their browsers do not have any of the following extensions installed:

  • action color
  • Power color
  • Nino color
  • more styles
  • super color
  • mix colors
  • super color
  • get color
  • what colour
  • monochrome
  • color scale
  • flexible style
  • background color
  • more styles
  • change color
  • decorative color
  • refresh color
  • image information
  • web color
  • hex color
  • soft view
  • border color
  • color mode
  • Xer color

Leave a Reply

Your email address will not be published. Required fields are marked *