A multi-year malicious campaign leverages dozens of Microsoft Edge and Chrome extensions to steal data from and compromise millions of victims worldwide.
Dubbed ShadyPanda, the hacking campaign utilizes at least 145 browser extensions to steal browsing data, spy on users, harvest credentials, and perform remote code execution (RCE).
According to cybersecurity researchers at Koi Security, the malicious extensions were infected during staged updates.
After months of meticulously building user trust, the malicious add-ins received positive ratings on Chrome Web Store. Some even earned the “Featured” and “Verified” statuses on the web stores before the attackers pushed a malicious update.
Malicious Chrome extensions infect 4.3 million users.
The malicious Chrome extensions market themselves as wallpaper or productivity tools, attracting 4.3 million Chrome and Edge users.
Chrome Web Store publisher nuggetsno15 listed 20 malicious browser extensions, while Rocket Zhang published the vast majority on the Microsoft Edge Add-ons marketplace.
According to the researchers, the ShadyPanda malicious campaign started as a simple affiliate fraud scheme to monetize users’ browsing data.
It injected affiliate codes whenever a user clicked on e-commerce platforms such as eBay, Amazon, or Booking.com, subsequently earning illegitimate commissions on every purchase. They also injected Google Analytics code to harvest and sell users’ browsing data.
Over time, ShadyPanda evolved to more sophisticated cyber attacks, including remote code execution and cookie and credential harvesting.
Popular browser extensions propel ShadyPanda hacking campaign to new heights.
In early 2024, the malicious Chrome extensions, such as the Infinity V+ add-on, began shifting away from the pesky affiliate fraud campaign. They increasingly began taking control of the browser by hijacking core functionality for easy manipulation.
Some began redirecting users to a known browser hijacker, trovi[.]com, to manipulate and log search queries for monetization.
They also started exfiltrating cookies from specific domains and sending them to a tracking domain nossl[.]dergoodting[.]com to create user search profiles without consent.
Additionally, they started logging keystrokes, partial queries, and typos to predict users’ interests and create their thinking patterns for manipulation.
However, their malicious activities started becoming apparent as they sent the harvested data over an unencrypted HTTP connection. Consequently, some malicious Edge and Chrome extensions were reported and removed from their respective web stores.
“ShadyPanda was learning and getting more aggressive,” the researchers explained. “But they were still getting caught. Extensions were being reported and removed within weeks or months of deployment.”
Malicious Chrome extensions on steroids.
After accumulating users, some malicious Chrome extensions, such as Clean Master with over 200,000 installs, pushed a malicious update in mid-2024 that further enhanced their malicious capabilities.
Koi Security researchers identified at least five browser extensions running the same malware variant, suggesting that the update was highly synchronized after months of potential user and version tracking.
The infected browser extensions began running hourly checks to download new instructions from the threat actor’s command-and-control (C2) domain, api.extensionplay[.]com, and execute arbitrary JavaScript, resulting in full-blown remote code execution.
The RCE capabilities could have enabled the threat actors to create a reverse shell and perform various actions, from cyber espionage and credential and data exfiltration to ransomware deployment.
The browser extensions could also execute Man-in-the-Middle (MitM) attacks to modify network traffic and inject data into any web request to achieve the threat actor’s objectives.
The MitM capability could enable attackers to modify wallet addresses, resulting in cryptocurrency being sent to addresses other than the one displayed on the user interface.
Google removes malicious Chrome extensions, but many are still active.
One of the most prevalent Edge extensions, WeTab, with over 3 million installs, exemplified the ShadyPanda hacking campaign. At the time of publication, Google had removed all the malicious browser extensions, while some were still available for download on the Edge add-ins store.
In addition, they remained installed on users’ browsers, enabling them to continue exfiltrating data and performing RCE long after they were no longer available for download.
Meanwhile, raising awareness is one of the simplest defenses. Sharing this article could help protect others from the ShadyPanda and similar hacking campaigns, making the web safer for everyone.
Leave a Reply