Skip to content

T1176 Browser Extensions

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.103

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.5 Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.2

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.1487

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.9 There have also been similar examples of extensions being used for command & control.6

Item Value
ID T1176
Sub-techniques
Tactics TA0003
Platforms Linux, Windows, macOS
Version 1.2
Created 16 January 2018
Last Modified 20 April 2022

Procedure Examples

ID Name Description
S0482 Bundlore Bundlore can install malicious browser extensions that are used to hijack user searches.12
S0531 Grandoreiro Grandoreiro can use malicious browser extensions to steal cookies and other user information.15
G0094 Kimsuky Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.1617
S0402 OSX/Shlayer OSX/Shlayer can install malicious Safari browser extensions to serve ads.1314

Mitigations

ID Mitigation Description
M1047 Audit Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.
M1038 Execution Prevention Set a browser extension allow or deny list as appropriate for your security policy. 11
M1033 Limit Software Installation Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions.
M1051 Update Software Ensure operating systems and browsers are using the most current version.
M1017 User Training
Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation

References


  1. Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017. 

  2. Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021. 

  3. Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017. 

  4. De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018. 

  5. Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017. 

  6. Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved November 22, 2017. 

  7. Marinho, R. (n.d.). “Catch-All” Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.

  8. Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017. 

  9. Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017. 

  10. Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018. 

  11. Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018. 

  12. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  13. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019. 

  14. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019. 

  15. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  16. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. 

  17. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.