More than 100 dual-function Chrome extensions hijack sessions and steal user credentials

Unknown cybercriminals have been have been distributing malicious extensions since February 2024.

” The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS),” – DTI.

Some of the identified malicious websites impersonate legitimate products and services, including DeepSeek, Manus, DeBank, FortiVPN, YouTube, and Site Stats. After the installation, dual-function extensions start collecting cookies from the browser, retrieving arbitrary scripts from remote servers, and establishing WebSocket connections in order to proxy and route traffic.

The extensions appear to have working or partially working functionality; however, they also steal credentials and cookies, hijack sessions, inject ads into the browser, create malicious redirects, manipulate traffic, and perform phishing by manipulating document object models (DOMs).

In addition, the malicious extensions attempt to grant themselves excessive permissions in the manifest.json file to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor-controlled domains.

To bypass CSP (Content Security Policy) and execute malicious code, the extensions use the onreset event handler in the DOM.

It’s still unclear how victims are lured to the rogue websites, but DTI researchers suppose that common methods are used for this purpose, including phishing and social media posts.

Cybercriminals behind this malicious campaign remain unknown; however, the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification.

The complete list of malicious domains advertising dual-function extensions is available in the DomainTools repository on GitHub. It includes inter alia:

• earthvpn[.]top;
• irontunnel[.]world и iron-tunnel[.]com;
• raccoon-vpn[.]world;
• orchid-vpn[.]com;
• soul-vpn[.]com;
• forti-vpn[.]com и fortivnp[.]com;
• debank-extension[.]world и debank[.]sbs, debank[.]click;
• youtube-vision[.]com и youtube-vision[.]world;
• deepseek-ai[.]link;
• calendlydaily[.]world, calendlydocker[.]com, calendly-director[.]com;
• whale-alerts[.]org и whale-alert[.]life;
• madgicxads[.]world и madgicx-plus[.]com;
• similar-net[.]com;
• workfront-plus[.]com; and 
• flight-radar[.]life.