Researchers from Guardio Labs uncovered a new malicious campaign deploying rogue Google Chrome extensions that can hijack browsers. The threat actors push several derivatives of a color customization browser extension and keep them clean during the initial access phase to avoid detection.
Researchers dubbed the campaign “Dormant Colors” due to the nature of the extensions and their lack of malicious code when they’re installed on the target machines.
According to the Guardio Labs report, at least 30 variations of the extension were available for free on the Chrome and Edge web stores by mid-October, including:
The report revealed that the rogue extensions had collectively gathered over 1 million installs. Perpetrators drove a malvertising campaign that altered users’ ability to download files or watch videos on certain websites. Upon landing on such a page, victims were urged to install an extension to access the content.
The malvertised extensions look harmless, as they hold no trace of malicious code. However, after installation, the rogue add-ons redirect users to web pages laced with malicious scripts that enable extensions to hijack browsers and insert affiliate links into webpages.
“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,” reads Guardio Labs’ advisory. “Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future.”
Dedicated software such as Bitdefender Ultimate Security can protect you against malicious browser extensions and other cyberthreats thanks to its extensive list of features, including: