Focus Mode
Threat Research

Trojanized Chrome Extensions | dmpdump

admin
The article discusses a security breach at CyberHaven, where a phishing attack led to the deployment of a trojanized Chrome extension. The malicious extension was used to exfiltrate sensitive data from users by manipulating Chrome’s storage and communication mechanisms. This incident highlights the risks associated with browser-based threats and the growing relevance of malicious browser extensions. Affected: CyberHaven, Chrome users

Keypoints :

  • CyberHaven, a DLP security company, was breached on December 26, 2024, due to a phishing attack.
  • A malicious Google OAuth application titled “Privacy Policy” was created to access Chrome Web Store Extensions.
  • The threat actor published a trojanized version of the CyberHaven extension, allowing data exfiltration.
  • Malicious code was embedded in content scripts and a modified worker script of the extension.
  • Key functionality included obtaining sensitive information like tokens and user IDs from visited URLs.
  • IP addresses associated with the malicious extension were identified as part of a broader infrastructure.
  • Operational behaviors include communication with a command and control (C2) infrastructure for configurations.

MITRE Techniques :

  • Tactic: Credential Access (TA0006) – Procedure: The trojanized extension collected sensitive data including user IDs and tokens.
  • Tactic: Exfiltration (TA0010) – Procedure: Exfiltration of sensitive data through communication with a C2 server using fetch requests.
  • Tactic: Execution (TA0002) – Procedure: Malicious JavaScript execution in the context of the browser through trojanized content scripts.
  • Tactic: Persistence (TA0003) – Procedure: Malicious extensions persisted through installation on the browser and manipulation of local storage.

Indicator of Compromise :

  • [Domain] cyberhavenext[.]pro
  • [Domain] api.cyberhavenext[.]pro
  • [IP Address] 149.28.124[.]84
  • [IP Address] 149.248.2[.]160
  • [Hash] DDF8C9C72B1B1061221A597168f9BB2C2BA09D38D7B3405E1DACE37AF1587944

Full Story: https://dmpdump.github.io/posts/TrojanizedChromeExtensions

Tags: CREDENTIAL, BROWSER, EXFILTRATION, PHISHING, PAYLOAD, DNS, DLP, PERSISTENCE