A recent malware campaign has been identified that transforms Google Chrome into a remote backdoor by exploiting the browser’s native messaging capabilities. This sophisticated attack begins with phishing emails, primarily in Italian, masquerading as legitimate business invoices. These emails contain attachments that appear to be standard PDF files but are, in reality, JavaScript files designed to initiate the infection process.
Upon execution, the JavaScript file deploys two additional files into the user’s temporary folder: a signed executable and a malicious DLL. The executable, associated with a reputable company, lends an air of legitimacy, while the DLL is loaded through a technique known as DLL side-loading. This method allows the malicious DLL to be executed by the trusted application, effectively bypassing security measures.
The malware then initiates a hidden PowerShell process that installs a rogue Chrome extension and modifies the browser’s enterprise policy settings. By registering the extension under Chrome’s ExtensionInstallAllowlist and ExtensionInstallSources policy keys, the attackers ensure that the extension appears as an admin-approved deployment, thereby avoiding user prompts that would typically alert to a new installation.
Chrome’s security architecture prevents extensions from directly executing programs on a computer. However, the browser supports Native Messaging, a feature that allows extensions to communicate with companion applications already installed on the system. In this attack, the malicious extension leverages Native Messaging to interact with the previously installed executable, enabling the execution of arbitrary PowerShell commands on the victim’s machine.
The implications of this attack are significant. By collecting browser cookies, open tabs, URLs, and fingerprinting data, attackers can hijack active sessions without needing the victim’s credentials. Additionally, the ability to execute PowerShell commands provides a means to perform a wide range of malicious activities, from data exfiltration to deploying further malware.
This campaign underscores the evolving tactics of cybercriminals who exploit legitimate features and trusted applications to achieve their objectives. It highlights the necessity for users and organizations to exercise caution with email attachments, even those that appear to be from trusted sources. Regularly updating security protocols and educating users about phishing tactics are crucial steps in mitigating such threats.
