ENTERPRISE MOBILE PRE-ATT&CK
TECHNIQUES
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
  1. Home
  2. Techniques
  3. Enterprise
  4. Browser Extensions

Browser Extensions

Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access. [1] [2]

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded. [3] Once the extension is installed, it can browse to websites in the background, [4] [5] steal all information that a user enters into a browser, to include credentials, [6] [7] and be used as an installer for a RAT for persistence. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions. [8] There have also been similar examples of extensions being used for command & control [9].

ID: T1176
Tactic: Persistence
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: Network protocol analysis, Packet capture, System calls, Process use of network, Process monitoring, Browser extensions
Contributors: Justin Warner, ICEBRG
Version: 1.0

Procedure Examples

Name Description
Kimsuky

Kimsuky has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.[14]
OSX/Shlayer

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[11][12]
Stolen Pencil

Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed.[13]

Mitigations

Mitigation Description
Audit

Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.
Execution Prevention

Set a browser extension white or black list as appropriate for your security policy.[10]
Limit Software Installation

Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions.
User Training

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Detection

Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

References

  1. Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018.
  2. Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.
  3. Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.
  4. Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017.
  5. De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
  6. Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.
  7. Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.
  1. Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017.
  2. Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017.
  3. Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018.
  4. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
  5. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.
  6. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  7. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.