Guardio Labs researchers have discovered Dormant Colors, a new malvertising campaign to deliver malicious Google Chrome extensions.
Chrome extensions are used to hijack searches and insert affiliate links into web pages. The campaign was dubbed Dormant Colors by experts because the extensions permit color customization.
“It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs.
Over a million people installed malicious browser extensions.
Experts discovered that the code of Chrome extensions does not contain malicious components in its initial state, but malicious snippets are later added to the code.
The attack chain is based on malvertising messages designed to trick victims into clicking on the install button, as seen in the video. Victims are prompted to install a color-changing extension after clicking the ‘OK’ or ‘Continue’ button.
Once installed, these extensions redirect users to various pages that side-load malicious scripts that alter browser behavior. The extensions can hijack searches and return affiliate links in the results. This scheme enables threat actors to profit from traffic to these websites while also stealing data.
According to experts, these malicious extensions are more than just other search hijackers because they include “stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users.” The collected data is used to categorize potential targets and select the best social engineering attack vectors to target and steal from them.
Read the full article here