Are These 18 Malicious Browser Extensions on Your Organization’s Devices?

A recently published finding revealed that 18 “verified” browser extensions available in the Google and Microsoft stores were part of a malware campaign, named RedDirection, that implemented advanced browser hijacking capabilities.

The post by Koi Security began analyzing a single extension and identified the underlying infrastructure behind the campaign, ultimately uncovering the additional extensions also affected. Each browser extension worked and functioned as described, whether it was a color picker, weather app, or video speed controller. But over time, each of them were compromised and included code that monitored all browser activity and each extension communicated with its own command and control servers.

“Combined, these eighteen extensions have infected over 2.3 million users across both browsers,” the post stated. While the scale of the campaign is alarming, there are clearly wider concerns about the security vetting process for extensions submitted to the Google and Microsoft stores. What does being verified mean in reality? Are the reviews helpful? How trustworthy is the model that evaluates these extensions? And what should be put in place to protect users in the future?

Ultimately, the supply chain of this software was successfully attacked and users unwittingly compromised. The checks and safeguards failed, and now security teams are challenged to find whether any of their employees have downloaded these extensions and on which devices this malware now resides.

The value of shared intelligence

This is a time consuming and tedious problem for IT and security teams. For most enterprises, completing this seemingly easy to grasp task is not trivial. In reality, depending on your environment, this could take days, weeks or months to complete successfully.

For most, this requires considerable effort to search for the indicators of compromise (IOCs) using different tools. But how far back do you look? Many of the extensions were available from the Google and Microsoft stores for years.

You have three primary options to identify if your employees have installed malicious Chrome extensions:

1. Browser management via Google or Microsoft: If your organization pays for these capabilities, you can review installed extensions.
2. Endpoint management queries via EDR: Using your EDR (e.g., CrowdStrike, SentinelOne, Microsoft Defender ATP) to query each device for extensions. Once you have written the query to all endpoints to inventory extensions, you then cross-reference installed extension IDs against known malicious IDs.
   • Chrome extensions are typically stored here:

     %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\

   • Edge extensions typically here:

     %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Extensions\

3. Manual Script or Remote Query via your RMM/MDM: Deploy a script (PowerShell, Python, or Go) that checks the extension directories and gathers installed extension IDs. Cross-reference the results against known malicious IDs provided by threat intelligence.
   • Example (simple PowerShell snippet to check Chrome extensions):

     Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" | Select-Object Name

In each of these, you are querying every device, putting additional performance load on the machine, and asking for multiple answers before cross checking each device. When you have thousands of endpoints, this process is laborious while leaving you potentially unsure if every device was queried because some could be offline.

The problem of device identification

This problem of device identification is one that seems simple but, even today, many companies still have remnants of vulnerable Log4j in their systems because there is no easy way to identify which devices have specific files on them enterprise-wide. You need to search for files enterprise-wide. Your logs are not the source of truth. And the other options are time-consuming, costly, and inefficient.

Malware investigation. In seconds
Stairwell takes care to gather new threat intelligence and investigate any malware IOCs from threat reports published continuously. When our threat researchers examined the post and put the IOCs (included below) into the Stairwell platform, they identified customers that contained the affected file extensions within seconds. Better yet, the customers were also given a complete list of specific devices that were compromised. No logs to search, just people to contact to locate the specific devices. Because Stairwell had previously collected copies of all executable files, including chrome extensions, from its customer’s devices as they were installed, Stairwell intelligently investigated this malware enterprise-wide–in seconds.

For customers who were not affected, meaning that no devices in their environment contained the compromised extensions, they were given the “green check mark” indicating that they are all clear. Most Stairwell customers were given this all clear and their security teams have nothing more to do.