Awake Security divulged that malicious Chrome extensions used in a colossal worldwide surveillance campaign have been downloaded by millions before removal.
The campaign, which affected users across the globe, exploited Internet domain registration and users’ reliance on browsers to spy on them and steal data all together.
The probe also exposed that the criminal activity has been assisted by Internet domain registrar CommuniGal Communication Ltd. (GalComm).
The majority of the 15,160 unique suspect or malicious domains recognized as part of this campaign were stolen, and were recorded through GalComm instantly after they perished. Therefore, the attackers could defeat detection mechanisms that look for brand new domains.
The hackers have worked very hard to keep their activity concealed. They not only managed to sidestep numerous layers of security controls within organizations, but also avoided having their domains branded as malicious by most security solutions.
The security firm, in the last few months, recognized 111 malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages. 79 extensions were found in the Chrome Web Store in May and Awake revealed that they collected roughly 33 million downloads before their takedown.
Awake’s security researchers revealed that the threat actor behind the activity was successful in establishing a tenacious position in about 100 networks of organizations in various industries.
“These campaigns have been ongoing for years while customers have deployed best in class security solutions. The research shows how attackers attempted to evade detection, but the TTPs, in this case, appears to have hit a blind spot in many traditional approaches to security—e.g. reputation engines, sandboxes and endpoint detection and response solutions,” the researchers note.
Some of the malicious extensions would totally evade the Chrome Web Store, through a self-contained Chromium package included in other extensions, which ruses users into defaulting to a new reprobate browser when encouraged at first run.
“These rogue browsers appeared to have been installed by existing potentially unwanted programs (PUPs) already present on the victim system. This is very effective since the rogue browsers are self-contained, meaning other than the ability to just execute a program locally, very few other permissions are necessary,” Awake elucidates.