Three Chrome extensions, masquerading as VPNs, have been identified as malicious and downloaded 1.5 million times, infiltrating users’ systems as browser hijackers, cashback hack tools, and data stealers. Discovered by ReasonLabs, these deceptive extensions were distributed through an installer hidden in pirated copies of popular video games such as Grand Theft Auto and The Sims 4, sourced from torrent sites. Despite ReasonLabs notifying Google and the subsequent removal of the extensions from the Chrome Web Store, the malicious plugins had already amassed a significant user base.
The infected extensions include netPlus with 1 million installs, netSave, and netWin with 500,000 installs each. ReasonLabs found that the malicious installer, embedded in over a thousand torrent files, automatically deploys the VPN extensions on the registry level, bypassing user interaction. The malware was spread through torrents of popular video games, leading to infections predominantly in Russia, Ukraine, Kazakhstan, and Belarus. The installer, an electron app ranging from 60MB to 100MB in size, automatically checks for antivirus software before delivering netSave on Google Chrome and netPlus on Microsoft Edge.
The extensions present a realistic VPN user interface, including some functionality and a paid subscription option, creating a false sense of authenticity. The extensions possess extensive permissions, including access to “tabs,” “storage,” “proxy,” “webRequest,” and more, allowing them to interact with web pages’ DOM (Document Object Model) stealthily. This level of access enables the extensions to steal sensitive user data, perform browsing hijacks, manipulate web requests, and disable other installed extensions. The malware also targets over 100 cashback extensions, disabling competitors and redirecting profits to the attackers.
The communication between the extensions and command-and-control servers involves data exchange on instructions, victim identification, and sensitive data exfiltration. This incident underscores the security risks associated with browser extensions, emphasizing the importance of regularly reviewing installed extensions and monitoring user reviews for potential threats.
