Day 92 of 100 in the 100 Days of Cyber Challenge
by Christopher Mohr
This is yet another belated issue of Malware Monday released on Terrible Tuesday. Lots of things occupying my time lately. Hopefully I’ll get this blog back on schedule soon.
I’m hearing more reports of browser extensions being used to distribute malware lately. While there are enough cases to write a book about, I came across three that stood out.
ShadyPanda: Playing the Long Game
ShadyPanda group has been tied to a sophisticated multi-phase campaign with a long-term strategy with some parts running legitimately for several years before turning malicious.
The group started with a campaign of wallpaper extensions involved in affiliate hijacking. After users installed wallpaper and searched sites that supported affiliate marketing, ShadyPanda injected affiliate tracking codes, allowing them to get a commission on the transaction. Stealing search data and reselling it was also a feature.
An extension called Clean Master demonstrated a higher degree of sophistication on ShadyPanda’s part. The tool was promoted as a browser cache cleaning extension and operated legitimately for years gaining high ratings and credibility from its users. In 2024, malicious updates were pushed to the browser extension.
According to Malwarebytes, Shady Panda took advantage of an operational flaw in Google Store: the practice where new software gets a higher level of scrutiny than updates do. If you play the long game as ShadyPanda did, you could escape detection by installing legit software first and adding the bad stuff later. Clean Master became a backdoor for remote code execution and the sky was the limit to the damage that could be done.
A subsequent campaign, WeTab behaved much like Clean Master, collecting browsing search and behavior from users as well as installing a back door. However, it operated on a much larger scale, infecting over 4 million browsers.
The Three Stages of NexShield: Fraud, Anxiety, and Destruction
NexShield was offered as an ad-blocker with the false claim that it was developed by Raymond Hill, the creator of the uBlock ad blocker. According to Huntress, it was the work of KongTuke, a threat actor also known for fake CAPTCHA attacks.
Huntress found that NexShield was a near-verbatim copy of uBlock, but with some name changes and malicious additions.
NexShield ran code with an infinite loop that eventually ate up system resources and slowed machines down to a crawl. Naturally, the typical response from the user was to kill any browser processes and restart.
After this restart, a popup appearing to come from Microsoft Edge displayed, warning that security issues were found. Steps involving keyboard commands were given under the pretense that this would fix the problem.
However, instead of installing a patch, this sequence of keyboard commands launched malicious PowerShell scripts. If the machine was detected to be part of a business domain, ModeloRAT would be installed to facilitate communication with a command-and-control (C2) server. Home users were subjected to a different attack chain.
AiFrame: Taking Advantage of the Popularity of AI to Steal User Info
AiFrame is a name given to numerous browser extensions that often pass themselves off as AI productivity tools, but are really mechanisms that allow attackers access to sensitive user and browser information.
These extensions had no AI functionality, but passed themselves off as such. They were connected to the tapnetic[.]pro domain and communicated with numerous subdomains like claude.tapnetic[.]pro or grok.tapnetic[.]pro that correspond to real AI sites the extension pretended to interact with.
The attack consists of a full-page iframe that overlays the current webpage. This allows attackers to bypass app store scrutiny because little to nothing changes in the extension itself, but rather the remote server code the iframe loads. This gives attackers almost limitless control over the code’s behavior with practically no risk of an app store takedown.
LayerX researcher Natalie Zargarov stated that the overlay functioned as a man-in-the-middle attack, grabbing information about the pages that users opened, including API keys and sensitive pages that required a login to access .
So What Do We Do About It?
App stores need to tighten their security policies. As Botcrawl points out, any extension whose core functionality comes from an iFrame should be treated as high-risk by default. I’m not sure how an app store could allow this functionality at all, since it operates outside of their controls and can change to run anything the extension author wants it to run.
Apps and extensions should have the same level of review whether they are brand new or updates. This offers some protection against the long-game tactics that ShadyPanda used.
LayerX recommended running extensions in managed environments, especially when installed outside of policy controls. This would make it possible to see how the extension behaves and avoid compromised data and machines resulting from installing an unknown extension.
These extensions should also be tested after the initial installation to look for malicious post-installation behavior. This protects against delayed attacks that don’t show up initially. Suspicious behavior including unexpected network traffic or takeovers of DOMs are things to look for since looking for static indicators only works as long as the attackers use them.
At the user level, you simply cannot let your guard down. All these malicious extensions were available in app stores for a period of time. The fact that an extension or app is offered in an app store and has numerous favorable reviews is not enough to ensure that you can trust that software.
As Sean Doyle of Botcrawl points out in the case of AiFrame, it’s easy to attract potential victims by pushing something with ‘AI’ in the name. If you are installing something because everyone else is, that may not be the safest thing to do. He also recommended looking for permission settings that are too broad like the iframe overlay and core functionality at the server that AiFrame had.
Database developers often use the term ‘accidental DBA’ to describe how their work often has them performing DBA tasks even though they were hired to write SQL. In a similar manner users need to become accidental QA professionals, testing new software for malicious activity before installing it.