Click, Steal, Repeat: Chrome Extensions Doing the Most

A new malware campaign has been uncovered leveraging malicious Chrome extensions that moonlight as both stealer malware and command-and-control (C2) agents. These dual-function tools, masquerading as legitimate browser add-ons can harvest sensitive data and establish persistent remote control over compromised systems. Their cunning disguise and stealthy functionality are a dangerous combo, especially for users unaware that their browser may be betraying them.

Threat Overview:

Researchers at DomainTools identified a growing trend where malware authors are embedding both stealer and C2 capabilities within browser extensions. These malicious extensions can:

• Exfiltrate browser data including cookies, login tokens, and browsing history.
• Maintain persistence by using browser APIs to communicate with attacker infrastructure.
• Bypass traditional endpoint security due to their seemingly harmless nature.

Once installed often via phishing, malicious pop-ups, or rogue developer modes, the extension operates quietly, blending into the user's browser environment.

Why This Matters:

Unlike traditional stealers that "smash and grab," these extensions stick around. This persistence means ongoing data leakage, session hijacking, and long-term surveillance. They pose a particularly high risk to organizations relying on browser-based applications for work, especially financial platforms, internal dashboards, and CRM systems.

Technical Details:

• The malware abuses Chrome’s chrome.storage and chrome.runtime.sendMessage APIs for C2-like communication.
• It uses developer mode sideloading or compromised Chrome Web Store entries to infect users.
• Collected data is sent back to attacker-controlled domains, often masquerading as legitimate telemetry services.

Indicators of Compromise (IOCs):

• Presence of unrecognized or unapproved Chrome extensions.
• Unusual outbound traffic to obscure domains from browser processes.
• Users experiencing unexpected  logouts, MFA prompts, or session expirations.

Mitigation Recommendations

1. Audit extensions installed across enterprise-managed browsers regularly.
2. Enforce browser extension whitelisting using endpoint protection or browser management policies.
3. Disable Developer Mode on managed devices to prevent rogue sideloading.
4. Monitor for suspicious browser activity, especially data exfiltration patterns.
5. Educate employees to avoid installing unsolicited add-ons, especially from shady pop-ups or unverified links.