Two Chrome Extensions Caught Secretly Stealing Credentials From...
Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that come with capabilities to intercept traffic and capture user credentials.
The extensions are advertised as a "multi-location network speed test plug-in" for developers and foreign trade personnel. Both the browser add-ons are available for download as of writing. The details of the extensions are as follows -
"Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations," Socket security researcher Kush Pandya said.
"Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 [command-and-control] server."
Once unsuspecting users make the payment, they receive VIP status and the extensions auto-enable "smarty" proxy mode, which routes traffic from over 170 targeted domains through the C2 infrastructure.
The extensions work as advertised to reinforce the illusion of a functional product. They perform actual latency tests on proxy servers and display connection status, while keeping users in the dark about their main goal, which is to intercept network traffic and steal credentials.
This involves malicious modifications prepended to two JavaScript libraries, namely, jquery-1.12.2.min.js and scripts.js, that come bundled with the extensions. The code is designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge across all websites by registering a listener on chrome.webRequest.onAuthRequired.
"When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt," Pandya explained. "It immediately responds with the hardcoded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction."
Once users authenticate to a proxy server, the extension configures Chrome's proxy settings using a Proxy Auto-Configuration (PAC) script to implement three modes -
The list of domains includes developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Se
Source: The Hacker News
