Browser Extensions

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.[1][2]

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.[3] Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.[4]

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.[5][6][7][8]

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for Command and Control.[9][10] Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for Defense Evasion.[11][12]

ID: T1176
Sub-techniques:  No sub-techniques
Tactic: Persistence
Platforms: Linux, Windows, macOS
Contributors: Chris Ross @xorrior; Justin Warner, ICEBRG; Manikantan Srinivasan, NEC Corporation India
Version: 1.3
Created: 16 January 2018
Last Modified: 18 April 2024

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore can install malicious browser extensions that are used to hijack user searches.[13]

S0531 Grandoreiro

Grandoreiro can use malicious browser extensions to steal cookies and other user information.[14]

G0094 Kimsuky

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[15][16]

S1122 Mispadu

Mispadu utilizes malicious Google Chrome browser extensions to steal financial data.[17]

S0402 OSX/Shlayer

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[18][19]

Mitigations

ID Mitigation Description
M1047 Audit

Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.

M1038 Execution Prevention

Set a browser extension allow or deny list as appropriate for your security policy. [20]

M1033 Limit Software Installation

Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions.

M1051 Update Software

Ensure operating systems and browsers are using the most current version.

M1017 User Training

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration.

DS0022 File File Creation

Monitor for newly constructed files and/or all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

DS0009 Process Process Creation

Monitor for newly executed processes that could be used to abuse internet browser extensions to establish persistence.

DS0024 Windows Registry Windows Registry Key Creation

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

References