A few weeks ago, we covered DarkSpectre, a threat actor responsible for running numerous spyware campaigns that, combined, infected a total of at least 8.8 million Google Chrome, Mozilla FireFox, and Microsoft Edge users. One of the key ways this was done was through malicious extensions, with the caveat that said extensions did have legitimate functionality (at least initially) before being updated with the spyware functions, leading to them being coined "sleeper extensions" by researchers at Koi.
In the time since, security researchers at LayerXSecurity have discovered 17 additional extensions that follow the scheme of DarkSpectre’s "GhostPoster" campaign of spyware extensions. We’ve listed …
A few weeks ago, we covered DarkSpectre, a threat actor responsible for running numerous spyware campaigns that, combined, infected a total of at least 8.8 million Google Chrome, Mozilla FireFox, and Microsoft Edge users. One of the key ways this was done was through malicious extensions, with the caveat that said extensions did have legitimate functionality (at least initially) before being updated with the spyware functions, leading to them being coined "sleeper extensions" by researchers at Koi.
In the time since, security researchers at LayerXSecurity have discovered 17 additional extensions that follow the scheme of DarkSpectre’s "GhostPoster" campaign of spyware extensions. We’ve listed the identified extensions below, and combined they’ve racked up an additional 840K installs across Chrome, FireFox, and Edge. The research also indicates an evolution in DarkSpectre’s tactics, "suggesting ongoing experimentation and adaptation" to attempts by researchers and security software to uncover and remove these extensions.
The good news is that the offending extensions have been reported to Microsoft, Google, and Mozilla, and removed from those respective extension web stores. The bad news is that this does not automatically remove the extensions from your computer, and many infected users may still be infected without their knowledge.
One example extension, Instagram Downloader for FireFox, got at least 3822 installs across desktop and mobile before being taken down.
Compromised Extensions
- AdBlocker
- Ads Block Ultimate
- Amazon Price History
- Color Enhancer
- Convert Everything
- Cool Cursor
- Floating Player — PiP Mode
- Full Page Screenshot
- Google Translate In Right Click
- Instagram Downloader
- One Key Translate
- Page Screenshot Clipper
- RSS Feed
- Save Image to Pinterest on Right Click
- Translate Selected Text with Google
- Translate Selected Text with Right Click
- Youtube Download
Note: Some offending extensions are duplicates of safe extensions. Offending extensions have been delisted from their respective Web Stores, so if you’re unsure or worried about losing functionality, just replace with equivalent, currently-safe extension.
The initial discovery of the malicious extensions stems from LayerXSecurity in a deep-dive on the coding and scale of these attacks, but Malwarebytes has also covered this further development in the DarkSpectre story and recommended its Deep Scan functionality for finding these and other malicious extensions on your machine.
As always, the war against spyware and other forms of malware operates on multiple fronts and requires due diligence from modern internet users—but especially power users more likely to install extensions and applications that could be compromised like this.
Image Credit: LayerXSecurity
Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.