Thirty malicious web browser extensions with more than a million installs in Google Chrome and Microsoft Edge have been leveraged as part of the new Dormant Colors malvertising campaign, reports BleepingComputer.
Such extensions, which provide color customization options and are downloaded without any malicious code, perform search hijacking to facilitate affiliate link insertion to webpages, a report from Guardio Labs revealed. Attacks commence with the download of innocuous-looking color-changing extensions that redirect victims to different pages that side-load scripts for search hijacking and affiliate link insertion.
"To finish it up, it also assigns a new URL to the location object so you are redirected to the advertisement that finalizes this flow as it is was just another advertisement popup," said researchers.
Aside from performing affiliation hijacking, Dormant Colors operators could launch more severe compromises using the same side-loading approach, with the technique likely to be used for phishing pages aimed at exfiltrating Microsoft 365, social media, bank site, and Google Workspace credentials.
Novel malvertising campaign targets browsers
Thirty malicious web browser extensions with more than a million installs in Google Chrome and Microsoft Edge have been leveraged as part of the new Dormant Colors malvertising campaign, reports BleepingComputer.
After establishing an HTTP server on the scanning machine to observe incoming HTTP requests from network devices, the automated scanner proceeds to deliver a custom UDP packet to every IP address in range instructing request delivery from CUPS instances.
While Microsoft noted Windows systems being targeted with RCE using the flaw, no indicators of compromise or telemetry information regarding the issue have been provided.
Most serious of the newly discovered bugs were a pair of high-severity issues, the first of which, tracked as CVE-2024-9380, is an operating system command injection flaw that could enable remote code execution, while the second, tracked as CVE-2024-9381, is a path traversal vulnerability allowing restriction evasion among threat actors with admin privileges.