Shadypanda Turns Popular Browser Extensions With 4.3 Million...

A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time.

Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024, according to a report from Koi Security, attracting 300,000 installs. These extensions have since been taken down.

"These extensions now run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access," security researcher Tuval Admoni said in a report shared with The Hacker News. "They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."

To make matters worse, one of the extensions, Clean Master, was featured and verified by Google at one point. This trust-building exercise allowed the attackers to expand their user base and silently issue malicious updates years later without attracting any suspicion.

Meanwhile, another set of five add-ons from the same publisher is designed to keep tabs on every URL visited by its users, as well as record search engine queries and mouse clicks, and transmit the information to servers located in China. These extensions have been installed about four million times, with WeTab alone accounting for three million installs.

Early signs of malicious activity were said to have been observed in 2023, when 20 extensions on the Chrome Web Store and 125 extensions on Microsoft Edge were published by developers named "nuggetsno15" and "rocket Zhang," respectively. All the identified extensions masqueraded as wallpaper or productivity apps.

"Every web search was redirected through trovi.com – a known browser hijacker," Koi said. "Search queries logged, monetized, and sold. Search results manipulated for profit."

At some point in mid-2024, five extensions, three of which had been operating legitimately for years, were modified to distribute a malicious update that introduced backdoor-like functionality by checking the domain "api.extensionplay[.]com" once every hour to retrieve a JavaScript payload and execute it.

The payload, for its part, is designed to monitor every website visit and send the data in encrypted format to a ShadyPanda server ("api.cleanmasters[.]store"), along with a detailed browser fingerprint. Besides using extensive obfuscation to conceal the functionality, any attempt to access the browser's developer tools causes it to switch to benign

Source: The Hacker News