Massive browser hijack: extensions turn Trojan and infect 2.3M Chrome and Edge users

Eighteen extensions had a “squeaky clean” codebase, sometimes for years, until a version bump turned them into dangerous trojans without any user input. Security researchers warn that over 2.3 million users have just been compromised, but there are many more extensions lurking.

Before turning malicious, one of the extensions had a Google verified badge, over 800 reviews, and a featured placement on the Chrome Web Store.

Koi Security researchers warn that the “Color Picker, Eyedropper – Geco colorpick” extension is one of the eighteen that were recently updated to include dangerous code.

“This is a carefully crafted Trojan horse that delivers exactly what it promises (a functional color picker) while simultaneously hijacking your browser, tracking every website you visit, and maintaining a persistent command and control backdoor,” the researchers said.

The sophisticated campaign, dubbed RedDirection, has infected over 2.3 million users across Chrome and Edge, making it one of the largest browser hijacking operations.

None of the 18 extensions were malicious from day one. They were popular productivity or entertainment tools, such as emoji keyboards, weather forecasts, video speed controllers, volume boosters, YouTube blockers, dark themes, etc.

“Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently,” the report explains.

“No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware.”

The threat actor successfully abused big tech’s platforms to amplify their malware reach, while verification processes failed to detect malicious changes.

What does this Trojan do?

The malware secretly activates with every new website visit and monitors the activity in the background. Attackers aim to redirect users to malicious websites, potentially phishing sites that mimic the original.

The malware captures the original URL of the website the user visits, sends it to a remote attacker-controlled server along with a unique identifier, and then the command and control server provides a redirect URL. The compromised extension automatically redirects the user to a malicious website if instructed, which can lead to further compromise.

At the same time, each of the eighteen devious extensions works as advertised: they pick colors, control video speed, boost volume, etc.

Attackers can abuse this man-in-the-middle capability at any moment. They can redirect users to download the “critical Zoom update” when they receive a Zoom meeting invitation, or to a pixel-perfect replica of their bank’s login page to steal credentials.

Each extension operated with separate domains, giving the appearance of separate developers behind them. However, they shared the same centralized attack infrastructure.

Koi Security researchers urge the immediate deletion of the following extensions from Chrome and Edge.

Chrome:

• Emoji keyboard online – copy&paste your emoji
• Free Weather Forecast
• Video Speed Controller – Video Manager
• Unlock Discord – VPN Proxy to Unblock Discord Anywhere
• Dark Theme – Dark Reader for Chrome
• Volume Max – Ultimate Sound Booster
• Unblock TikTok – Seamless Access with One-Click Proxy
• Unlock YouTube VPN
• Color Picker, Eyedropper – Geco colorpick
• Weather

Edge:

• Unlock TikTok
• Volume Booster – Increase your sound
• Web Sound Equalizer
• Header Value
• Flash Player – games emulator
• Youtube Unblocked
• SearchGPT – ChatGPT for Search Engine
• Unlock Discord

While the malicious extensions seem to have been removed from stores, some of the attacker-controlled domains listed among the indicators of compromise in the report are still active and advertising malicious tools.

What do you do if you find a malicious extension?

Further mitigation measures include clearing the browser data to remove any stored malicious links and tracking identifiers, running a full system malware scan to identify additional infections, and monitoring accounts for suspicious activity.

Malwarebytes, a security firm, urges affected users to clear all browsing data, including history, cookies, cached files, and site data, to remove any tracking identifiers or session tokens that may’ve been stolen or set by malicious extensions. You also want to reset any potentially compromised credentials.

Malwarebytes shares advice for users, as follows:

• Reset your browser settings to default to undo any changes the extension may have made to your search engine, homepage, or other settings. Look for signs like unexpected redirects, changed search engines, or new toolbars.
• Immediately change passwords for accounts that you visited while the malicious extension was installed (such as online banking). Make sure you are using a reliable password manager that generates long and complex passwords which are hard to crack.
• Enable two-factor authentication (2FA) where possible for added protection.
• Monitor accounts for suspicious activity.
• Check your email and text messages for security alerts or notifications about unauthorized access. Beware of scammers sending fake alerts, too.
• Make sure your browser and remaining extensions are up to date.
• Run a full system scan with an antivirus solution.

“If an extension asks for additional permissions after an update, that’s a good reason to look closely at what it requires and if that makes sense for the reason you’re using the extension,” the firm said.

Hackers constantly develop or buy other extensions, which security researchers refer to as “sleeper agents” for future malicious activities. Malwarebytes Labs shared an example of malicious extensions that posed as a search tool for ChatGPT and were available for months before turning malicious.

Any browser that supports extensions can be targeted.

Security experts suggest that users review all installed extensions and remove unwanted add-ons. Look for similar suspicious behaviour – a previously trusted extension can change hands and turn malicious with a single update.