Security researchers have unearthed a “global surveillance campaign” that has been using malicious extensions to take screenshots, steal credentials, and capture user keystrokes on the Chrome web browser.
Researchers at Awake Security recently stumbled upon an Internet Domain Registrar named CommuniGal Communication Ltd. (GalComm) that was being used to set up tens of thousands of registered domains, most of which were malicious or suspicious.
The researchers found that of the 26,079 reachable domains registered through GalComm, 15,160 domains, or almost 60%, were malicious or suspicious and hosted a variety of traditional malware and browser-based surveillance tools. These domains avoided being labeled as malicious by most security solutions thanks to a variety of evasion techniques and infected hundreds of networks without getting noticed.
They also found as many as 111 malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages for the extensions. These extensions fielded a variety of surveillance features such as stealing credentials, taking screenshots, capturing keystrokes, reading clipboards, and harvesting credential tokens stored in cookies or parameters.
These malicious extensions were downloaded at least 32,962,951 times by Chrome users with some extensions enjoying over ten million downloads. The researchers warned that the real count of malicious extensions could be higher as the 32 million downloads only accounted for extensions that were live in the Chrome Web Store as of May 2020.
“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every network,” said Awake Security in a blog post.
As these malicious extensions exploited domain privileges to lurk around as genuine Chrome browser extensions, they were able to persist and carry out surveillance even in networks belonging to organisations that could afford state-of-the-art security software.
“Enterprise security teams would do well to recognize that rogue browser extensions pose a significant risk especially as more of our digital life is now conducted within the browser,” wrote Gary Golomb, Chief Scientist and co-founder of Awake Security.
“This threat is one that bypasses a number of traditional security mechanisms including endpoint security solutions, domain reputation engines, web proxies and cloud-based sandboxes. Security teams should, therefore, hunt on an ongoing basis for the tactics, techniques and procedures to compensate for the technological shortcomings,” he added.
Based on its findings, the security firm has also called for an enhanced audit of domain registrars as registrars like GalComm “can effectively function like cyber arms-dealers, providing a platform through which criminals and nation-states can deliver malicious sites, tools and extensions without consequences or oversight.”
This isn’t the first time that domain registrars have been used by cyber criminals to launch criminal campaigns targeting millions of Internet users. A couple of years ago, hackers managed to infiltrate French domain name registrar and cloud hosting company Gandi and steal login credentials.
The breach allowed hackers to use at least 751 domains to spread malicious software in ‘drive-by’ style attacks. Once the domains were compromised, visitors to such domains were redirected to the Keitaro traffic distribution system. Instead of redirecting them to Google, Keitaro TDS redirected visitors to a Rig Exploit Kit where they got infected by a malware named Neutrino Bot.