Threat Actors Masquerade as Legitimate Utilities, Impersonating Popular Services to Lure Victims

An unknown threat actor has been creating and distributing malicious Chrome browser extensions since February 2024, with over 100 fake add-ons discovered to date. These seemingly benign utilities have been found to incorporate covert functionality, exfiltrating data, receiving commands, and executing arbitrary code. The extensions, which are available on the Google Chrome Web Store, appear to offer legitimate features such as productivity tools, ad and media creation or analysis assistants, VPN services, and more.

However, upon closer inspection, these extensions have been found to enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. The threat actors have also configured the extensions to grant themselves excessive permissions via the manifest.json file, allowing them to interact with every site visited on the browser, execute arbitrary code retrieved from an attacker-controlled domain, perform malicious redirects, and even inject ads.

One of the tactics used by the threat actors is to create websites that masquerade as legitimate services, such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats, to entice users into downloading and installing the extensions. Once installed, the add-ons proceed to harvest browser cookies, fetch arbitrary scripts from a remote server, and set up a WebSocket connection to act as a network proxy for traffic routing.

Google has taken down the extensions, but the threat actors have set up over 100 fake websites and malicious Chrome extensions. To mitigate risks, users are advised to stick with verified developers before downloading extensions, review requested permissions, scrutinize reviews, and refrain from using lookalike extensions. However, it’s worth noting that ratings could be manipulated and artificially inflated by filtering negative user feedback.

DomainTools, a cybersecurity firm, has published an analysis that found evidence of extensions impersonating DeepSeek that redirected users providing low ratings to a private feedback form on the ai-chat-bot[.]pro domain, while sending those providing high ratings to the official Chrome Web Store review page.