Since February 2024, an unknown threat actor has seeded 100+ malicious Google Chrome extensions that masquerade as legitimate tools ranging from Fortinet VPN clients and DeepSeek AI helpers to generic productivity apps. These extensions are promoted via branded lure websites (e.g., forti‑vpn[.]com, deepseek‑ai[.]link) and published on the Chrome Web Store.
Key Observations
- Excessive Permissions: Each extension requests broad host access, declarativeNetRequest, cookie access, and script injection across all sites.
- Dynamic Code Execution: Extensions fetch encrypted payloads, bypass CSP via onreset DOM trick, then execute arbitrary JavaScript in user sessions.
- Data Theft & Proxying: Observed commands include dumping all cookies (chrome.cookies.getAll), hijacking sessions, injecting ads/redirects, and establishing WebSocket‑based reverse proxies.
Risks
- Credential and cookie theft leading to account compromise across SaaS platforms.
- Man‑in‑the‑browser traffic manipulation, phishing page injection, and session hijacking.
- Lateral movement by abusing harvested enterprise cookies or tokens for VPN/SaaS portals.
Recommended Actions
- Block & Remove: Blacklist extension IDs and associated domains (IOCs list: https://github.com/DomainTools/SecuritySnacks). Audit fleet for installations and remove immediately.
- Extension Control: Enforce Chrome policies (ExtensionInstallBlocklist, ExtensionInstallAllowlist) permitting only vetted extensions from trusted publishers.
- Least‑Privilege Review: Re‑evaluate existing extensions’ permissions; revoke those requesting broad host access or declarativeNetRequest without justification.
- User Awareness: Train users to verify developer legitimacy, scrutinize permissions, and avoid installing extensions from promotional links.
- Browser Hardening: Enable Chrome Safe Browsing Enhanced Protection and regularly review installed extensions across managed devices.
Summary
This campaign continues to demonstrate significant persistence and adaptability. As soon as malicious extensions are identified and removed from the Chrome Web Store, new variants rapidly emerge under different names and publishers. The dynamic nature of this threat emphasizes why continuous monitoring and management of browser extensions is crucial. IT teams must implement robust extension policies, conduct regular audits of approved extensions, and maintain vigilant oversight of browser extension usage across their organizations.
